# Flog Txt Version 1 # Analyzer Version: 3.2.1 # Analyzer Build Date: Feb 18 2020 07:49:07 # Log Creation Date: 24.02.2020 16:21:39.790 Process: id = "1" image_name = "winhost.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe" page_root = "0x4caf2000" os_pid = "0x5a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xa74 [0027.922] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0027.923] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0027.923] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleW") returned 0x76d434b0 [0027.923] GetProcAddress (hModule=0x76d30000, lpProcName="FindNextFileW") returned 0x76d454ee [0027.923] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0027.923] GetProcAddress (hModule=0x76d30000, lpProcName="MoveFileW") returned 0x76d59af0 [0027.923] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSizeEx") returned 0x76d459e2 [0027.923] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0027.923] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileAttributesW") returned 0x76d41b18 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineW") returned 0x76d45223 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameW") returned 0x76d4dd0e [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameA") returned 0x76d5b6e0 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexW") returned 0x76d4424c [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenW") returned 0x76d41700 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenA") returned 0x76d45a4b [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcess") returned 0x76d41809 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="GetLogicalDrives") returned 0x76d45371 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount") returned 0x76d4110c [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileW") returned 0x76d489b3 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="WideCharToMultiByte") returned 0x76d4170d [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76d41916 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="Sleep") returned 0x76d410ff [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="ReadFile") returned 0x76d43ed3 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="OpenMutexW") returned 0x76d45151 [0027.924] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForMultipleObjects") returned 0x76d44220 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcmpiW") returned 0x76d5d5cd [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcmpiA") returned 0x76d43e8e [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteCriticalSection") returned 0x77c745f5 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseMutex") returned 0x76d4111e [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="GetVersion") returned 0x76d44467 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThread") returned 0x76d434d5 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="ExpandEnvironmentStringsW") returned 0x76d44173 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceCounter") returned 0x76d41725 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceFrequency") returned 0x76d441f0 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessId") returned 0x76d411f8 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="SetFileAttributesW") returned 0x76d5d4f7 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="GetVolumeInformationW") returned 0x76d5c860 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="SetFilePointerEx") returned 0x76d5c807 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="SetEndOfFile") returned 0x76d5ce2e [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileW") returned 0x76d44435 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcessHeap") returned 0x76d414e9 [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="HeapReAlloc") returned 0x77c81f6e [0027.925] GetProcAddress (hModule=0x76d30000, lpProcName="HeapAlloc") returned 0x77c6e026 [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="HeapFree") returned 0x76d414c9 [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="CreatePipe") returned 0x76dc415b [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="SetHandleInformation") returned 0x76d5195c [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessW") returned 0x76d4103d [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringW") returned 0x76d43bca [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringA") returned 0x76d43c5a [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="OpenProcess") returned 0x76d41986 [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="TerminateProcess") returned 0x76d5d802 [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemTime") returned 0x76d45a96 [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="SystemTimeToFileTime") returned 0x76d45a7e [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="GetLastError") returned 0x76d411c0 [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="CreateToolhelp32Snapshot") returned 0x76d6735f [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="Process32NextW") returned 0x76d6896c [0027.926] GetProcAddress (hModule=0x76d30000, lpProcName="Process32FirstW") returned 0x76d68baf [0027.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0029.672] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExW") returned 0x7772468d [0029.672] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExW") returned 0x777246ad [0029.672] GetProcAddress (hModule=0x77710000, lpProcName="RegSetValueExW") returned 0x777214d6 [0029.672] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0029.672] GetProcAddress (hModule=0x77710000, lpProcName="OpenProcessToken") returned 0x77724304 [0029.672] GetProcAddress (hModule=0x77710000, lpProcName="GetTokenInformation") returned 0x7772431c [0029.672] GetProcAddress (hModule=0x77710000, lpProcName="OpenSCManagerW") returned 0x7771ca64 [0029.673] GetProcAddress (hModule=0x77710000, lpProcName="OpenServiceW") returned 0x7771ca4c [0029.673] GetProcAddress (hModule=0x77710000, lpProcName="CloseServiceHandle") returned 0x7772369c [0029.673] GetProcAddress (hModule=0x77710000, lpProcName="ControlService") returned 0x77737144 [0029.673] GetProcAddress (hModule=0x77710000, lpProcName="QueryServiceStatus") returned 0x77722a86 [0029.673] GetProcAddress (hModule=0x77710000, lpProcName="EnumDependentServicesW") returned 0x77711e3a [0029.673] GetProcAddress (hModule=0x77710000, lpProcName="EnumServicesStatusExW") returned 0x7771b466 [0029.673] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0031.392] GetProcAddress (hModule=0x77130000, lpProcName="SystemParametersInfoW") returned 0x771490d3 [0031.392] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x759d0000 [0033.538] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteExW") returned 0x759f1e46 [0033.538] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77c40000 [0033.538] GetProcAddress (hModule=0x77c40000, lpProcName="NtQuerySystemInformation") returned 0x77c5fda0 [0033.538] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x75660000 [0033.632] GetProcAddress (hModule=0x75660000, lpProcName="WNetCloseEnum") returned 0x75662dd6 [0033.632] GetProcAddress (hModule=0x75660000, lpProcName="WNetOpenEnumW") returned 0x75662f06 [0033.632] GetProcAddress (hModule=0x75660000, lpProcName="WNetEnumResourceW") returned 0x75663058 [0033.632] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0033.821] GetProcAddress (hModule=0x77230000, lpProcName="WSAStartup") returned 0x77233ab2 [0033.821] GetProcAddress (hModule=0x77230000, lpProcName="socket") returned 0x77233eb8 [0033.821] GetProcAddress (hModule=0x77230000, lpProcName="send") returned 0x77236f01 [0033.821] GetProcAddress (hModule=0x77230000, lpProcName="recv") returned 0x77236b0e [0033.821] GetProcAddress (hModule=0x77230000, lpProcName="connect") returned 0x77236bdd [0033.821] GetProcAddress (hModule=0x77230000, lpProcName="closesocket") returned 0x77233918 [0033.822] GetProcAddress (hModule=0x77230000, lpProcName="gethostbyname") returned 0x77247673 [0033.822] GetProcAddress (hModule=0x77230000, lpProcName="inet_addr") returned 0x7723311b [0033.822] GetProcAddress (hModule=0x77230000, lpProcName="ntohl") returned 0x77232d57 [0033.822] GetProcAddress (hModule=0x77230000, lpProcName="htonl") returned 0x77232d57 [0033.822] GetProcAddress (hModule=0x77230000, lpProcName="htons") returned 0x77232d8b [0033.822] GetProcessHeap () returned 0x500000 [0033.822] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x20) returned 0x5140d0 [0033.822] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=15457803023) returned 1 [0033.822] GetTickCount () returned 0x11435b1 [0033.822] GetCurrentProcessId () returned 0x5a8 [0033.823] GetTickCount () returned 0x11435b1 [0033.823] GetTickCount () returned 0x11435b1 [0033.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x20) returned 0x5140f8 [0033.823] GetVersion () returned 0x1db10106 [0033.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7) returned 0x5036b8 [0033.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x510bd8 [0033.823] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x510bd8, Size=0x20) returned 0x514148 [0033.823] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514148, Size=0x40) returned 0x5146b8 [0033.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x514908 [0033.823] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_S49B83A") returned 0x0 [0033.823] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_S49B83A") returned 0x84 [0033.824] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5036b8 | out: hHeap=0x500000) returned 1 [0033.824] lstrlenW (lpString="Global\\syncronize_") returned 18 [0033.824] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5146b8 | out: hHeap=0x500000) returned 1 [0033.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7) returned 0x5036b8 [0033.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x510bd8 [0033.824] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x510bd8, Size=0x20) returned 0x514148 [0033.824] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514148, Size=0x40) returned 0x5146b8 [0033.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x524910 [0033.824] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_S49B83U") returned 0x0 [0033.824] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_S49B83U") returned 0x88 [0033.824] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5036b8 | out: hHeap=0x500000) returned 1 [0033.824] lstrlenW (lpString="Global\\syncronize_") returned 18 [0033.824] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5146b8 | out: hHeap=0x500000) returned 1 [0033.824] GetVersion () returned 0x1db10106 [0033.824] GetCurrentProcess () returned 0xffffffff [0033.824] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0033.824] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0033.824] CloseHandle (hObject=0x8c) returned 1 [0033.825] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0033.825] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0x3e8) returned 0x0 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x5036b8 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x510bd8 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x510bd8, Size=0x20) returned 0x514148 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514148, Size=0x40) returned 0x5146b8 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5146b8, Size=0x80) returned 0x5146b8 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5146b8, Size=0x100) returned 0x5146b8 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x34) returned 0x5147c0 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x5107c8 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x5107d8 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5107e8 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x510bd8 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x514800 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x510bf0 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514800, Size=0x8) returned 0x514800 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x510c08 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514800, Size=0x10) returned 0x514800 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x510c20 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x510c38 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514800, Size=0x20) returned 0x514800 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x510c50 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x510c68 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5107c8, Size=0x8) returned 0x5107c8 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5107d8, Size=0x8) returned 0x5107d8 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x514828 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x510c80 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x514838 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x510c98 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514838, Size=0x8) returned 0x514838 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534930 [0033.825] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514838, Size=0x10) returned 0x514838 [0033.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534948 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x514850 [0033.826] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514838, Size=0x20) returned 0x514860 [0033.826] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5107c8, Size=0x10) returned 0x514838 [0033.826] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5107d8, Size=0x10) returned 0x514888 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5107c8 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x534960 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x5107d8 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534978 [0033.826] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5107d8, Size=0x8) returned 0x5107d8 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5148a0 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x534990 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x5148b0 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5349a8 [0033.826] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5148b0, Size=0x8) returned 0x5148b0 [0033.826] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514838, Size=0x20) returned 0x534d18 [0033.826] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514888, Size=0x20) returned 0x534d40 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x514888 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x5349c0 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x514838 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5349d8 [0033.826] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514838, Size=0x8) returned 0x514838 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x534d68 [0033.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x534d88 [0033.826] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0033.826] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5146b8 | out: hHeap=0x500000) returned 1 [0033.826] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5349f0 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5349f0, Size=0x20) returned 0x514350 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514350, Size=0x40) returned 0x514710 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514710, Size=0x80) returned 0x514710 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514710, Size=0x100) returned 0x535060 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5349f0 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5349f0, Size=0x20) returned 0x514350 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514350, Size=0x40) returned 0x514710 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514710, Size=0x80) returned 0x514710 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514710, Size=0x100) returned 0x535168 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x5349f0 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x514710 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514710, Size=0x8) returned 0x514710 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x514720 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514710, Size=0x10) returned 0x514740 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18) returned 0x514758 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1a) returned 0x514350 [0033.835] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514740, Size=0x20) returned 0x514778 [0033.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1c) returned 0x514378 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16) returned 0x5147a0 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1a) returned 0x5143a0 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x534a20 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x514710 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40) returned 0x535270 [0033.836] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514710, Size=0x8) returned 0x514710 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3c) returned 0x5352b8 [0033.836] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514710, Size=0x10) returned 0x514740 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x535300 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18) returned 0x535320 [0033.836] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514740, Size=0x20) returned 0x535340 [0033.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x24) returned 0x535368 [0033.836] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0033.836] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535060 | out: hHeap=0x500000) returned 1 [0033.836] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0033.836] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535168 | out: hHeap=0x500000) returned 1 [0033.836] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5358e8 [0033.839] EnumServicesStatusExW (in: hSCManager=0x5358e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0033.840] GetLastError () returned 0xea [0033.840] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11e4) returned 0x5391e8 [0033.840] EnumServicesStatusExW (in: hSCManager=0x5358e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5391e8, cbBufSize=0x11e4, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5391e8, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0033.841] CloseServiceHandle (hSCObject=0x5358e8) returned 1 [0033.843] lstrlenW (lpString="Appinfo") returned 7 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0033.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0033.843] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0033.843] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0033.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0033.843] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.843] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0033.843] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0033.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0033.843] lstrlenW (lpString="AudioSrv") returned 8 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0033.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0033.844] lstrlenW (lpString="BFE") returned 3 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0033.844] lstrlenW (lpString="CryptSvc") returned 8 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0033.844] lstrlenW (lpString="CscService") returned 10 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0033.844] lstrlenW (lpString="DcomLaunch") returned 10 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0033.844] lstrlenW (lpString="Dhcp") returned 4 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0033.844] lstrlenW (lpString="Dnscache") returned 8 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0033.845] lstrlenW (lpString="DPS") returned 3 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0033.845] lstrlenW (lpString="eventlog") returned 8 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0033.845] lstrlenW (lpString="EventSystem") returned 11 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0033.845] lstrlenW (lpString="gpsvc") returned 5 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0033.845] lstrlenW (lpString="iphlpsvc") returned 8 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0033.845] lstrlenW (lpString="LanmanServer") returned 12 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0033.846] lstrlenW (lpString="LanmanWorkstation") returned 17 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0033.846] lstrlenW (lpString="lmhosts") returned 7 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0033.846] lstrlenW (lpString="MMCSS") returned 5 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0033.846] lstrlenW (lpString="MpsSvc") returned 6 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0033.846] lstrlenW (lpString="Netman") returned 6 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0033.846] lstrlenW (lpString="netprofm") returned 8 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0033.847] lstrlenW (lpString="NlaSvc") returned 6 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0033.847] lstrlenW (lpString="nsi") returned 3 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0033.847] lstrlenW (lpString="PcaSvc") returned 6 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0033.847] lstrlenW (lpString="PlugPlay") returned 8 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0033.847] lstrlenW (lpString="Power") returned 5 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0033.847] lstrlenW (lpString="ProfSvc") returned 7 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0033.848] lstrlenW (lpString="RpcEptMapper") returned 12 [0033.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.848] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0033.848] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0033.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0033.848] lstrlenW (lpString="RpcSs") returned 5 [0033.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0033.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0033.848] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0033.848] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0033.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0033.848] lstrlenW (lpString="SamSs") returned 5 [0033.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0033.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0033.848] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0033.848] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0033.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0033.848] lstrlenW (lpString="Schedule") returned 8 [0033.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0033.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0033.848] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0033.848] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0033.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0033.848] lstrlenW (lpString="SENS") returned 4 [0033.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0033.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0033.848] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0033.848] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0033.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0033.848] lstrlenW (lpString="ShellHWDetection") returned 16 [0033.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.848] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0033.848] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0033.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0033.848] lstrlenW (lpString="Spooler") returned 7 [0033.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0033.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0033.849] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0033.849] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0033.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0033.849] lstrlenW (lpString="SysMain") returned 7 [0033.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0033.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0033.849] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0033.849] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0033.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0033.849] lstrlenW (lpString="Themes") returned 6 [0033.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0033.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0033.849] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0033.849] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0033.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0033.849] lstrlenW (lpString="TrkWks") returned 6 [0033.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0033.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0033.849] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0033.849] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0033.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0033.849] lstrlenW (lpString="UxSms") returned 5 [0033.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0033.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0033.849] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0033.849] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0033.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0033.849] lstrlenW (lpString="WdiServiceHost") returned 14 [0033.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.849] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0033.849] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0033.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0033.849] lstrlenW (lpString="WdiSystemHost") returned 13 [0033.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.850] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0033.850] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0033.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0033.850] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0033.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.850] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0033.850] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0033.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0033.850] lstrlenW (lpString="Winmgmt") returned 7 [0033.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0033.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0033.850] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0033.850] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0033.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0033.850] lstrlenW (lpString="WPDBusEnum") returned 10 [0033.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.850] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0033.850] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0033.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0033.850] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5391e8 | out: hHeap=0x500000) returned 1 [0033.850] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0033.854] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0033.855] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0033.855] lstrlenW (lpString="System") returned 6 [0033.855] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0033.855] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0033.855] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0033.855] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0033.855] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0033.855] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0033.855] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0033.855] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0033.856] lstrlenW (lpString="smss.exe") returned 8 [0033.856] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0033.856] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0033.856] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0033.856] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0033.856] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0033.856] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0033.856] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0033.856] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.857] lstrlenW (lpString="csrss.exe") returned 9 [0033.857] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.857] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.857] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.857] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.857] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.857] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.857] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0033.857] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0033.857] lstrlenW (lpString="wininit.exe") returned 11 [0033.857] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0033.857] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0033.857] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0033.857] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0033.857] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0033.857] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0033.857] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0033.858] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.858] lstrlenW (lpString="csrss.exe") returned 9 [0033.858] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.858] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.858] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.858] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.858] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.858] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.858] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0033.859] lstrlenW (lpString="winlogon.exe") returned 12 [0033.859] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0033.860] lstrlenW (lpString="services.exe") returned 12 [0033.860] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0033.860] lstrlenW (lpString="lsass.exe") returned 9 [0033.860] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0033.861] lstrlenW (lpString="lsm.exe") returned 7 [0033.861] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.861] lstrlenW (lpString="svchost.exe") returned 11 [0033.861] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.862] lstrlenW (lpString="svchost.exe") returned 11 [0033.862] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.862] lstrlenW (lpString="svchost.exe") returned 11 [0033.862] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.863] lstrlenW (lpString="svchost.exe") returned 11 [0033.863] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.863] lstrlenW (lpString="svchost.exe") returned 11 [0033.863] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0033.864] lstrlenW (lpString="audiodg.exe") returned 11 [0033.864] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.864] lstrlenW (lpString="svchost.exe") returned 11 [0033.864] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.865] lstrlenW (lpString="svchost.exe") returned 11 [0033.865] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0033.865] lstrlenW (lpString="dwm.exe") returned 7 [0033.865] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0033.866] lstrlenW (lpString="explorer.exe") returned 12 [0033.866] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0033.866] lstrlenW (lpString="spoolsv.exe") returned 11 [0033.866] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.867] lstrlenW (lpString="svchost.exe") returned 11 [0033.867] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.867] lstrlenW (lpString="taskhost.exe") returned 12 [0033.867] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0033.868] lstrlenW (lpString="taskeng.exe") returned 11 [0033.868] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0033.868] lstrlenW (lpString="prime.exe") returned 9 [0033.868] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0033.869] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0033.869] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0033.870] lstrlenW (lpString="financing.exe") returned 13 [0033.870] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0033.871] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0033.871] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0033.872] lstrlenW (lpString="dg hit.exe") returned 10 [0033.872] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0033.872] lstrlenW (lpString="banners_drops.exe") returned 17 [0033.872] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0033.873] lstrlenW (lpString="vacuum.exe") returned 10 [0033.873] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0033.873] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0033.873] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0033.874] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0033.874] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0033.875] lstrlenW (lpString="holocauststored.exe") returned 19 [0033.875] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0033.875] lstrlenW (lpString="mini.exe") returned 8 [0033.875] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0033.876] lstrlenW (lpString="bi_tiny.exe") returned 11 [0033.876] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0033.876] lstrlenW (lpString="mall_drawn.exe") returned 14 [0033.876] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0033.877] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0033.877] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0033.877] lstrlenW (lpString="distributed.exe") returned 15 [0033.877] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0033.878] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0033.878] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0033.878] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0033.878] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0033.879] lstrlenW (lpString="3dftp.exe") returned 9 [0033.879] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0033.879] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0033.879] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0033.880] lstrlenW (lpString="alftp.exe") returned 9 [0033.880] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0033.880] lstrlenW (lpString="barca.exe") returned 9 [0033.880] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0033.881] lstrlenW (lpString="bitkinex.exe") returned 12 [0033.881] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0033.881] lstrlenW (lpString="coreftp.exe") returned 11 [0033.881] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0033.882] lstrlenW (lpString="far.exe") returned 7 [0033.882] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0033.882] lstrlenW (lpString="filezilla.exe") returned 13 [0033.882] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0033.883] lstrlenW (lpString="flashfxp.exe") returned 12 [0033.883] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0033.883] lstrlenW (lpString="fling.exe") returned 9 [0033.883] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0033.884] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0033.884] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0033.884] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0033.884] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0033.885] lstrlenW (lpString="icq.exe") returned 7 [0033.885] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0033.885] lstrlenW (lpString="leechftp.exe") returned 12 [0033.885] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0033.886] lstrlenW (lpString="ncftp.exe") returned 9 [0033.886] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0033.886] lstrlenW (lpString="notepad.exe") returned 11 [0033.886] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0033.887] lstrlenW (lpString="operamail.exe") returned 13 [0033.887] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0033.887] lstrlenW (lpString="outlook.exe") returned 11 [0033.891] CloseHandle (hObject=0xe4) returned 1 [0033.891] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0033.892] lstrlenW (lpString="pidgin.exe") returned 10 [0033.892] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0033.893] lstrlenW (lpString="scriptftp.exe") returned 13 [0033.893] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0033.894] lstrlenW (lpString="skype.exe") returned 9 [0033.894] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0033.894] lstrlenW (lpString="smartftp.exe") returned 12 [0033.894] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0033.895] lstrlenW (lpString="thunderbird.exe") returned 15 [0033.895] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0033.896] lstrlenW (lpString="totalcmd.exe") returned 12 [0033.896] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0033.897] lstrlenW (lpString="trillian.exe") returned 12 [0033.897] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0033.897] lstrlenW (lpString="webdrive.exe") returned 12 [0033.897] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0033.898] lstrlenW (lpString="whatsapp.exe") returned 12 [0033.898] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0033.899] lstrlenW (lpString="winscp.exe") returned 10 [0033.899] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0033.899] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0033.899] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0033.900] lstrlenW (lpString="active-charge.exe") returned 17 [0033.900] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0033.901] lstrlenW (lpString="accupos.exe") returned 11 [0033.901] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0033.902] lstrlenW (lpString="afr38.exe") returned 9 [0033.902] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0033.902] lstrlenW (lpString="aldelo.exe") returned 10 [0033.902] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0033.903] lstrlenW (lpString="ccv_server.exe") returned 14 [0033.903] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0033.904] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0033.904] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0033.904] lstrlenW (lpString="creditservice.exe") returned 17 [0033.904] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0033.905] lstrlenW (lpString="edcsvr.exe") returned 10 [0033.905] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0033.912] lstrlenW (lpString="fpos.exe") returned 8 [0033.912] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0033.912] lstrlenW (lpString="isspos.exe") returned 10 [0033.912] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0033.913] lstrlenW (lpString="mxslipstream.exe") returned 16 [0033.913] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0033.914] lstrlenW (lpString="omnipos.exe") returned 11 [0033.914] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0033.914] lstrlenW (lpString="spcwin.exe") returned 10 [0033.914] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0033.915] lstrlenW (lpString="spgagentservice.exe") returned 19 [0033.915] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0033.916] lstrlenW (lpString="utg2.exe") returned 8 [0033.916] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0033.916] lstrlenW (lpString="focuses.exe") returned 11 [0033.916] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0033.917] lstrlenW (lpString="fi fence.exe") returned 12 [0033.917] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0033.918] lstrlenW (lpString="knight.exe") returned 10 [0033.918] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0033.918] lstrlenW (lpString="library.exe") returned 11 [0033.918] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0033.919] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0033.919] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0033.919] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0033.919] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.920] lstrlenW (lpString="taskhost.exe") returned 12 [0033.920] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.920] lstrlenW (lpString="dllhost.exe") returned 11 [0033.920] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.921] lstrlenW (lpString="dllhost.exe") returned 11 [0033.921] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0033.922] lstrlenW (lpString="winhost.exe") returned 11 [0033.922] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 0 [0033.922] CloseHandle (hObject=0xe0) returned 1 [0033.922] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535270 | out: hHeap=0x500000) returned 1 [0033.922] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5352b8 | out: hHeap=0x500000) returned 1 [0033.922] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535300 | out: hHeap=0x500000) returned 1 [0033.922] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535320 | out: hHeap=0x500000) returned 1 [0033.923] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535368 | out: hHeap=0x500000) returned 1 [0033.923] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x534a08 | out: hHeap=0x500000) returned 1 [0033.923] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514720 | out: hHeap=0x500000) returned 1 [0033.923] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514758 | out: hHeap=0x500000) returned 1 [0033.923] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514350 | out: hHeap=0x500000) returned 1 [0033.923] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514378 | out: hHeap=0x500000) returned 1 [0033.923] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5147a0 | out: hHeap=0x500000) returned 1 [0033.923] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5143a0 | out: hHeap=0x500000) returned 1 [0033.923] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x53b430 [0033.923] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x54b438 [0033.923] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.923] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x5143a0 [0033.923] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5143a0, Size=0x40) returned 0x5369b0 [0033.923] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.924] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x5143a0 [0033.924] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.924] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x514378 [0033.924] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.924] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x514350 [0033.924] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514350, Size=0x40) returned 0x5369f8 [0033.924] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x54b438, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe")) returned 0x31 [0033.924] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x55b440 [0033.924] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x56b448 [0033.924] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.924] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x514350 [0033.924] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514350, Size=0x40) returned 0x536a40 [0033.924] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536a40, Size=0x80) returned 0x535270 [0033.924] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535270, Size=0x100) returned 0x537bb8 [0033.924] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x537bb8 | out: hHeap=0x500000) returned 1 [0033.925] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\winhost.exe", lpDst=0x55b440, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\winhost.exe") returned 0x20 [0033.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56b448 | out: hHeap=0x500000) returned 1 [0033.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b440 | out: hHeap=0x500000) returned 1 [0033.925] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x600020 [0033.925] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.925] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x514350 [0033.925] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.925] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x535938 [0033.925] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0033.925] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0033.925] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0033.925] lstrlenW (lpString="kernel32.dll") returned 12 [0033.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514350 | out: hHeap=0x500000) returned 1 [0033.925] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535938 | out: hHeap=0x500000) returned 1 [0033.925] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0033.925] CreateFileW (lpFileName="C:\\Windows\\System32\\winhost.exe" (normalized: "c:\\windows\\system32\\winhost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0033.926] ReadFile (in: hFile=0xe0, lpBuffer=0x600020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.940] WriteFile (in: hFile=0xe4, lpBuffer=0x600020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.943] ReadFile (in: hFile=0xe0, lpBuffer=0x600020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0033.943] CloseHandle (hObject=0xe4) returned 1 [0033.945] CloseHandle (hObject=0xe0) returned 1 [0033.945] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.945] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x535938 [0033.945] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.945] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x5358e8 [0033.945] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0033.945] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0033.945] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.945] lstrlenW (lpString="kernel32.dll") returned 12 [0033.945] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5358e8 | out: hHeap=0x500000) returned 1 [0033.945] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.945] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535938 | out: hHeap=0x500000) returned 1 [0033.945] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x600020 | out: hHeap=0x500000) returned 1 [0033.950] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.950] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x535938 [0033.950] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535938, Size=0x40) returned 0x536a40 [0033.950] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536a40, Size=0x80) returned 0x55b458 [0033.950] lstrlenW (lpString="C:\\Windows\\System32\\winhost.exe") returned 31 [0033.950] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0033.950] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5c) returned 0x535270 [0033.950] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0033.950] RegSetValueExW (in: hKey=0xe0, lpValueName="winhost.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\winhost.exe", cbData=0x3e | out: lpData="C:\\Windows\\System32\\winhost.exe") returned 0x0 [0033.951] RegCloseKey (hKey=0xe0) returned 0x0 [0033.951] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535270 | out: hHeap=0x500000) returned 1 [0033.951] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0033.952] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b458 | out: hHeap=0x500000) returned 1 [0033.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x55d440 [0033.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x56d448 [0033.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a08 [0033.952] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a08, Size=0x20) returned 0x535938 [0033.952] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535938, Size=0x40) returned 0x536a40 [0033.952] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536a40, Size=0x80) returned 0x55b458 [0033.952] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x537bb8 [0033.952] lstrlenW (lpString="") returned 0 [0033.952] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8c) returned 0x537cc0 [0033.952] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe0) returned 0x0 [0033.952] RegQueryValueExW (in: hKey=0xe0, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x56d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x56d448*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0033.952] RegCloseKey (hKey=0xe0) returned 0x0 [0033.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x537cc0 | out: hHeap=0x500000) returned 1 [0033.953] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8c) returned 0x537cc0 [0033.953] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0033.953] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x56d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0033.953] RegCloseKey (hKey=0xe4) returned 0x0 [0033.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x537cc0 | out: hHeap=0x500000) returned 1 [0033.953] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0033.953] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x537bb8 | out: hHeap=0x500000) returned 1 [0033.953] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe", lpDst=0x55d440, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe") returned 0x68 [0033.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56d448 | out: hHeap=0x500000) returned 1 [0033.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d440 | out: hHeap=0x500000) returned 1 [0033.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x600020 [0033.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0033.954] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x535938 [0033.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0033.954] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x5358e8 [0033.954] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0033.954] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0033.954] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.954] lstrlenW (lpString="kernel32.dll") returned 12 [0033.954] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535938 | out: hHeap=0x500000) returned 1 [0033.954] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.954] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5358e8 | out: hHeap=0x500000) returned 1 [0033.954] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0033.954] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\winhost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0033.956] ReadFile (in: hFile=0xe4, lpBuffer=0x600020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.968] WriteFile (in: hFile=0xe8, lpBuffer=0x600020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.970] ReadFile (in: hFile=0xe4, lpBuffer=0x600020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0033.970] CloseHandle (hObject=0xe8) returned 1 [0033.971] CloseHandle (hObject=0xe4) returned 1 [0033.972] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0033.972] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x5358e8 [0033.972] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0033.972] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x535938 [0033.972] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0033.972] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0033.972] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.972] lstrlenW (lpString="kernel32.dll") returned 12 [0033.972] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535938 | out: hHeap=0x500000) returned 1 [0033.972] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.972] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5358e8 | out: hHeap=0x500000) returned 1 [0033.972] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x600020 | out: hHeap=0x500000) returned 1 [0033.977] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x55d440 [0033.977] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x56d448 [0033.977] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0033.977] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x5358e8 [0033.977] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5358e8, Size=0x40) returned 0x536a40 [0033.977] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536a40, Size=0x80) returned 0x55b458 [0033.977] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x537bb8 [0033.977] lstrlenW (lpString="") returned 0 [0033.977] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.977] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8c) returned 0x537cc0 [0033.977] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0033.977] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x56d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0033.977] RegCloseKey (hKey=0xe4) returned 0x0 [0033.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x537cc0 | out: hHeap=0x500000) returned 1 [0033.977] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0033.977] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x537bb8 | out: hHeap=0x500000) returned 1 [0033.977] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe", lpDst=0x55d440, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe") returned 0x49 [0033.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56d448 | out: hHeap=0x500000) returned 1 [0033.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d440 | out: hHeap=0x500000) returned 1 [0033.977] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x600020 [0033.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0033.978] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x5358e8 [0033.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0033.978] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x535938 [0033.978] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0033.978] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0033.978] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.978] lstrlenW (lpString="kernel32.dll") returned 12 [0033.978] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5358e8 | out: hHeap=0x500000) returned 1 [0033.978] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.978] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535938 | out: hHeap=0x500000) returned 1 [0033.978] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0033.978] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\winhost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0033.980] ReadFile (in: hFile=0xe4, lpBuffer=0x600020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.992] WriteFile (in: hFile=0xe8, lpBuffer=0x600020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.994] ReadFile (in: hFile=0xe4, lpBuffer=0x600020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x600020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0033.994] CloseHandle (hObject=0xe8) returned 1 [0033.995] CloseHandle (hObject=0xe4) returned 1 [0034.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0034.004] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x535938 [0034.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0034.004] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x5358e8 [0034.004] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0034.004] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0034.004] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0034.004] lstrlenW (lpString="kernel32.dll") returned 12 [0034.005] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5358e8 | out: hHeap=0x500000) returned 1 [0034.005] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.005] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535938 | out: hHeap=0x500000) returned 1 [0034.005] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x600020 | out: hHeap=0x500000) returned 1 [0034.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53b430 | out: hHeap=0x500000) returned 1 [0034.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b438 | out: hHeap=0x500000) returned 1 [0034.009] lstrlenW (lpString="%windir%\\System32") returned 17 [0034.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5369b0 | out: hHeap=0x500000) returned 1 [0034.009] lstrlenW (lpString="%appdata%") returned 9 [0034.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5143a0 | out: hHeap=0x500000) returned 1 [0034.010] lstrlenW (lpString="%sh(Startup)%") returned 13 [0034.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514378 | out: hHeap=0x500000) returned 1 [0034.010] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0034.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5369f8 | out: hHeap=0x500000) returned 1 [0034.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0034.010] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x514378 [0034.010] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514378, Size=0x40) returned 0x5369f8 [0034.010] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5369f8, Size=0x80) returned 0x55b458 [0034.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0034.010] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x514378 [0034.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1fffc) returned 0x53b430 [0034.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x55d440 [0034.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x56d448 [0034.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0034.010] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x5143a0 [0034.010] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5143a0, Size=0x40) returned 0x5369f8 [0034.010] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5369f8, Size=0x80) returned 0x55b4e0 [0034.010] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b4e0, Size=0x100) returned 0x537bb8 [0034.010] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0034.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x537bb8 | out: hHeap=0x500000) returned 1 [0034.010] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x55d440, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0034.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56d448 | out: hHeap=0x500000) returned 1 [0034.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d440 | out: hHeap=0x500000) returned 1 [0034.010] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0034.011] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0034.011] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0034.011] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0034.011] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0xa8c, dwThreadId=0xa80)) returned 1 [0034.028] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0034.028] WriteFile (in: hFile=0xec, lpBuffer=0x55b458*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x55b458*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0034.028] CloseHandle (hObject=0xfc) returned 1 [0034.028] CloseHandle (hObject=0xf8) returned 1 [0034.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53b430 | out: hHeap=0x500000) returned 1 [0034.028] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0034.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b458 | out: hHeap=0x500000) returned 1 [0034.028] lstrlenW (lpString="%comspec%") returned 9 [0034.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514378 | out: hHeap=0x500000) returned 1 [0034.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0034.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x534a38 [0034.029] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x534a38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0034.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5147b0 [0034.029] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x5147b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0034.030] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a50 [0034.030] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a50, Size=0x20) returned 0x514378 [0034.030] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514378, Size=0x40) returned 0x5369f8 [0034.030] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0034.030] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xd0) returned 0x537c30 [0034.030] GetLogicalDrives () returned 0x4 [0034.030] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10014) returned 0x53b430 [0034.030] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a50 [0034.030] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a50, Size=0x20) returned 0x514378 [0034.030] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514378, Size=0x40) returned 0x536a88 [0034.030] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536a88, Size=0x80) returned 0x55b458 [0034.030] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x5391a0 [0034.030] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5391a0, Size=0x200) returned 0x5391a0 [0034.031] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5391a0, Size=0x400) returned 0x5391a0 [0034.031] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5391a0, Size=0x800) returned 0x5397b8 [0034.031] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5397b8, Size=0x1000) returned 0x54b450 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x55d440 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a50 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x534b28 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x514758 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x534b40 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x514768 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534b58 [0034.031] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514768, Size=0x8) returned 0x514768 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534b70 [0034.031] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514768, Size=0x10) returned 0x514720 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534b88 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534ba0 [0034.031] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514720, Size=0x20) returned 0x537ab8 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534bb8 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x514768 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x534bd0 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x534be8 [0034.031] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x537ab8, Size=0x40) returned 0x5352e0 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x534c00 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x534c18 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x534c30 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x534c48 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534c60 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534c78 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x535328 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534c90 [0034.031] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5352e0, Size=0x80) returned 0x5391a0 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534ca8 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534cc0 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534cd8 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x534cf0 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5397d0 [0034.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x5397e8 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539800 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x514720 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539818 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539830 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539848 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539860 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539878 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539890 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x5398a8 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5398c0 [0034.032] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5391a0, Size=0x100) returned 0x5391a0 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5398d8 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5398f0 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539908 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x539920 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539938 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539950 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x514730 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539968 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539980 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539998 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x537ab8 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5399b0 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5399c8 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x537ac8 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5399e0 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x5399f8 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539a10 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539a28 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539a40 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539a58 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x539a70 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539a88 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x539aa0 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539ab8 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539ad0 [0034.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539ae8 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539b00 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x537ad8 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539b18 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539b30 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539b48 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539b60 [0034.033] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5391a0, Size=0x200) returned 0x5391a0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539b78 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5352e0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539b90 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539bd0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539be8 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539c00 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539c18 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539c30 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539c48 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539c60 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539c78 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539c90 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539ca8 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539cc0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539cd8 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539cf0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539d08 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539d20 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539d38 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539d50 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539d68 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539d80 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539d98 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5352f0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539db0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539dc8 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539de0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x539fd0 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539df8 [0034.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539e10 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539e28 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539e40 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539e58 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539e70 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539e88 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539ea0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539eb8 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539ed0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539ee8 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539f00 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539f18 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x539f30 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539f48 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539f60 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539f78 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x539f90 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c470 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c488 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c4a0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x539fe0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x539ff0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c4b8 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c4d0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c4e8 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c500 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c518 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54c530 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c548 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c560 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c578 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c590 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54c5a8 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c5c0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c5d8 [0034.034] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5391a0, Size=0x400) returned 0x5391a0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c5f0 [0034.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c608 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54c620 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c638 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c650 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c668 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54c680 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c698 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c6b0 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c6c8 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53a000 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c6e0 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54c6f8 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c710 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c728 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c740 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c758 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x54c770 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c788 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c7a0 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c7b8 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c7d0 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c7e8 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c800 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c818 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c830 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53a010 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c870 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c888 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c8a0 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c8b8 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c8d0 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c8e8 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c900 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c918 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c930 [0034.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x54c948 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c960 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x54c978 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c990 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c9a8 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c9c0 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c9d8 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54c9f0 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54ca08 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ca20 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ca38 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ca50 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ca68 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ca80 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ca98 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cab0 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cac8 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cae0 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54caf8 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cb10 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cb28 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cb40 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cb58 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cb70 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cb88 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cba0 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x54cbb8 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12) returned 0x535f08 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cbd0 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cbe8 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cc00 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cc18 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cc30 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cc70 [0034.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cc88 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cca0 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ccb8 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ccd0 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cce8 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cd00 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cd18 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cd30 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cd48 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cd60 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cd78 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cd90 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cda8 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cdc0 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54cdd8 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54cdf0 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54ce08 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe) returned 0x54ce20 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54ce38 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53a020 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ce50 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53a030 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ce68 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ce80 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54ce98 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54ceb0 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54cec8 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cee0 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54cef8 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cf10 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cf28 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54cf40 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cf58 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54cf70 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54cf88 [0034.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cfa0 [0034.038] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53a040 [0034.038] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cfb8 [0034.038] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa) returned 0x54cfd0 [0034.038] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5391a0, Size=0x800) returned 0x54d458 [0034.038] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0034.038] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b450 | out: hHeap=0x500000) returned 1 [0034.038] lstrlenW (lpString="") returned 0 [0034.038] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54dd98 | out: hHeap=0x500000) returned 1 [0034.038] lstrlenW (lpString=".NcOv") returned 5 [0034.038] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514758, Size=0x8) returned 0x514758 [0034.038] lstrlenW (lpString=".NcOv") returned 5 [0034.038] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54dd98 | out: hHeap=0x500000) returned 1 [0034.038] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54ddc8, Size=0x20) returned 0x514378 [0034.038] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514378, Size=0x40) returned 0x536a88 [0034.038] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536a88, Size=0x80) returned 0x55b458 [0034.038] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a0b0, Size=0x8) returned 0x53a0c0 [0034.038] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a0c0, Size=0x10) returned 0x54ddc8 [0034.038] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54ddc8, Size=0x20) returned 0x514350 [0034.038] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0034.038] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b458 | out: hHeap=0x500000) returned 1 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54ddf8, Size=0x20) returned 0x535938 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535938, Size=0x40) returned 0x536a88 [0034.039] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0034.039] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0034.039] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536a88 | out: hHeap=0x500000) returned 1 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54ddf8, Size=0x20) returned 0x535938 [0034.039] lstrlenW (lpString="Info.hta") returned 8 [0034.039] lstrlenW (lpString="Info.hta") returned 8 [0034.039] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535938 | out: hHeap=0x500000) returned 1 [0034.039] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x56d448, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe")) returned 0x31 [0034.039] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56d448 | out: hHeap=0x500000) returned 1 [0034.039] lstrlenW (lpString="winhost.exe") returned 11 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514350, Size=0x40) returned 0x536a88 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54ddf8, Size=0x20) returned 0x514350 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54ddf8, Size=0x20) returned 0x535938 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535938, Size=0x40) returned 0x536ad0 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536ad0, Size=0x80) returned 0x55b458 [0034.039] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x54b450 [0034.040] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0034.040] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b450 | out: hHeap=0x500000) returned 1 [0034.040] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x56d448, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0034.040] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x57d450 | out: hHeap=0x500000) returned 1 [0034.040] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56d448 | out: hHeap=0x500000) returned 1 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a0c0, Size=0x8) returned 0x53a0b0 [0034.040] lstrlenW (lpString="%windir%;") returned 9 [0034.040] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514350 | out: hHeap=0x500000) returned 1 [0034.040] lstrlenW (lpString="C:\\Windows;") returned 11 [0034.040] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d440 | out: hHeap=0x500000) returned 1 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54de10, Size=0x20) returned 0x514350 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x514350, Size=0x40) returned 0x536ad0 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536ad0, Size=0x80) returned 0x55b458 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x54b450 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a0f0, Size=0x8) returned 0x53a100 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a100, Size=0x10) returned 0x54de58 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54de58, Size=0x20) returned 0x514350 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a0c0, Size=0x8) returned 0x53a100 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a0d0, Size=0x8) returned 0x53a0c0 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a0f0, Size=0x8) returned 0x53a110 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a110, Size=0x10) returned 0x54df00 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54df00, Size=0x20) returned 0x535938 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a100, Size=0x10) returned 0x54df00 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a0c0, Size=0x10) returned 0x54df30 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a100, Size=0x8) returned 0x53a0f0 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a120, Size=0x8) returned 0x53a130 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54df00, Size=0x20) returned 0x5358e8 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54df30, Size=0x20) returned 0x535848 [0034.040] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a140, Size=0x8) returned 0x53a150 [0034.041] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0034.041] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b450 | out: hHeap=0x500000) returned 1 [0034.041] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54dfa8, Size=0x20) returned 0x535960 [0034.041] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x55d440, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0034.041] lstrlenW (lpString="C:\\") returned 3 [0034.041] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0034.041] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d440 | out: hHeap=0x500000) returned 1 [0034.041] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a180, Size=0x82) returned 0x54b9b8 [0034.041] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a1a0, Size=0x100) returned 0x54ba48 [0034.041] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54b9b8, Size=0x104) returned 0x54bc70 [0034.041] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54ba48, Size=0x200) returned 0x54bd80 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53a190 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54bd80 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b5d0 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b5f0 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54e008 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b678 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54e038 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54bc70 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54e020 | out: hHeap=0x500000) returned 1 [0034.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54bb50 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b5e8 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54bbe0 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b600 | out: hHeap=0x500000) returned 1 [0034.043] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54e020, Size=0x20) returned 0x535988 [0034.043] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535988, Size=0x40) returned 0x536ad0 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53a160 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54dfa8 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b528 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54dfd8 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b568 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54dfc0 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53a170 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54dff0 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x537ed0 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536008 | out: hHeap=0x500000) returned 1 [0034.043] lstrlenW (lpString="%systemdrive%") returned 13 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535960 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b458 | out: hHeap=0x500000) returned 1 [0034.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53a140 | out: hHeap=0x500000) returned 1 [0034.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x53b430, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0034.984] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54e008, Size=0x20) returned 0x535b18 [0034.984] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535b18, Size=0x40) returned 0x536ba8 [0034.984] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536ba8, Size=0x80) returned 0x55b458 [0034.984] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x550080 [0034.984] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x550080, Size=0x200) returned 0x54bc98 [0034.984] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54bc98, Size=0x400) returned 0x54bc98 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54bc98, Size=0x800) returned 0x5530a8 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5530a8, Size=0x1000) returned 0x5530a8 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a170, Size=0x8) returned 0x53a160 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a160, Size=0x10) returned 0x54b600 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54b600, Size=0x20) returned 0x535b18 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535b18, Size=0x40) returned 0x536ba8 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536ba8, Size=0x80) returned 0x55b458 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x550080 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x550080, Size=0x200) returned 0x54c098 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54c098, Size=0x400) returned 0x5544b0 [0034.985] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5544b0, Size=0x800) returned 0x5554b8 [0034.986] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0034.986] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5530a8 | out: hHeap=0x500000) returned 1 [0034.986] lstrlenW (lpString="") returned 0 [0034.986] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x556380 | out: hHeap=0x500000) returned 1 [0034.986] lstrlenW (lpString=".NcOv") returned 5 [0034.986] lstrlenW (lpString=".NcOv") returned 5 [0034.986] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x556380 | out: hHeap=0x500000) returned 1 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5563b0, Size=0x20) returned 0x535b18 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535b18, Size=0x40) returned 0x536ba8 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536ba8, Size=0x80) returned 0x55b458 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a2e0, Size=0x8) returned 0x53a2f0 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a2f0, Size=0x10) returned 0x5563b0 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5563b0, Size=0x20) returned 0x535a50 [0034.986] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0034.986] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b458 | out: hHeap=0x500000) returned 1 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5563e0, Size=0x20) returned 0x535b40 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535b40, Size=0x40) returned 0x536ba8 [0034.986] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0034.986] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0034.986] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536ba8 | out: hHeap=0x500000) returned 1 [0034.986] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5563e0, Size=0x20) returned 0x535b40 [0034.986] lstrlenW (lpString="Info.hta") returned 8 [0034.986] lstrlenW (lpString="Info.hta") returned 8 [0034.986] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535b40 | out: hHeap=0x500000) returned 1 [0034.987] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x57d468, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe")) returned 0x31 [0036.099] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x57d468 | out: hHeap=0x500000) returned 1 [0036.099] lstrlenW (lpString="winhost.exe") returned 11 [0036.099] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535a50, Size=0x40) returned 0x536d10 [0036.099] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a4f0, Size=0x20) returned 0x535a50 [0036.100] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a4f0, Size=0x20) returned 0x535c30 [0036.100] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535c30, Size=0x40) returned 0x536d58 [0036.100] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536d58, Size=0x80) returned 0x55b458 [0036.100] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x550080 [0036.100] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0036.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x550080 | out: hHeap=0x500000) returned 1 [0036.100] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x57d468, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0036.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x59d478 | out: hHeap=0x500000) returned 1 [0036.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x57d468 | out: hHeap=0x500000) returned 1 [0036.100] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a2e0, Size=0x8) returned 0x53a300 [0036.100] lstrlenW (lpString="%windir%;") returned 9 [0036.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535a50 | out: hHeap=0x500000) returned 1 [0036.100] lstrlenW (lpString="C:\\Windows;") returned 11 [0036.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56d460 | out: hHeap=0x500000) returned 1 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a508, Size=0x20) returned 0x535a50 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535a50, Size=0x40) returned 0x536d58 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536d58, Size=0x80) returned 0x55b458 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x550080 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a330, Size=0x8) returned 0x53a340 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a340, Size=0x10) returned 0x55a550 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a550, Size=0x20) returned 0x535a50 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a2e0, Size=0x8) returned 0x53a340 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a310, Size=0x8) returned 0x53a2e0 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a330, Size=0x8) returned 0x53a350 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a350, Size=0x10) returned 0x55a5f8 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a5f8, Size=0x20) returned 0x535c30 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a340, Size=0x10) returned 0x55a5f8 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a2e0, Size=0x10) returned 0x55a628 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a340, Size=0x8) returned 0x53a330 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a360, Size=0x8) returned 0x53a370 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a5f8, Size=0x20) returned 0x535c58 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a628, Size=0x20) returned 0x535c80 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a380, Size=0x8) returned 0x53a390 [0036.101] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a6a0, Size=0x20) returned 0x535cd0 [0036.102] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x59d478, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0036.102] lstrlenW (lpString="C:\\") returned 3 [0036.102] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0036.102] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x59d478 | out: hHeap=0x500000) returned 1 [0036.102] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55ace8, Size=0x82) returned 0x5547c8 [0036.102] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55ad08, Size=0x100) returned 0x550080 [0036.102] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5547c8, Size=0x104) returned 0x55b1e0 [0036.102] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x550080, Size=0x200) returned 0x59d490 [0036.103] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55acf8 | out: hHeap=0x500000) returned 1 [0036.103] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x59d490 | out: hHeap=0x500000) returned 1 [0036.103] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a748 | out: hHeap=0x500000) returned 1 [0036.103] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b678 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a700 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b5f0 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a730 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b1e0 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a718 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b0c0 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a760 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b150 | out: hHeap=0x500000) returned 1 [0036.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a778 | out: hHeap=0x500000) returned 1 [0036.104] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a778, Size=0x20) returned 0x535cf8 [0036.104] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535cf8, Size=0x40) returned 0x536d58 [0036.115] WaitForMultipleObjects (nCount=0x2, lpHandles=0x537c30*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xa90 Thread: id = 4 os_tid = 0xa7c [0034.272] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x54dff0 [0034.272] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54dff0, Size=0x20) returned 0x535988 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535988, Size=0x40) returned 0x536b18 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536b18, Size=0x80) returned 0x55b458 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x54bbc8 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x54dff0 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54dff0, Size=0x20) returned 0x535988 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535988, Size=0x40) returned 0x536b18 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x536b18, Size=0x80) returned 0x55b458 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55b458, Size=0x100) returned 0x550080 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54dff0 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x53a140 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x54dfc0 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a140, Size=0x8) returned 0x53a170 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x536028 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a170, Size=0x10) returned 0x54dfd8 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18) returned 0x536048 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1a) returned 0x535988 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54dfd8, Size=0x20) returned 0x5359b0 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1c) returned 0x5359d8 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16) returned 0x536068 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1a) returned 0x535a00 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc) returned 0x54dfd8 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x53a170 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40) returned 0x536b18 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a170, Size=0x8) returned 0x53a140 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3c) returned 0x536b60 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x53a140, Size=0x10) returned 0x54dfa8 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14) returned 0x536088 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18) returned 0x5360a8 [0034.273] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x54dfa8, Size=0x20) returned 0x535a28 [0034.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x24) returned 0x537ed0 [0034.273] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0034.274] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54bbc8 | out: hHeap=0x500000) returned 1 [0034.274] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0034.274] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x550080 | out: hHeap=0x500000) returned 1 [0034.274] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x535ac8 [0034.274] EnumServicesStatusExW (in: hSCManager=0x535ac8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0034.274] GetLastError () returned 0xea [0034.274] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11e4) returned 0x5530a8 [0034.274] EnumServicesStatusExW (in: hSCManager=0x535ac8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5530a8, cbBufSize=0x11e4, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5530a8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0034.275] CloseServiceHandle (hSCObject=0x535ac8) returned 1 [0034.275] lstrlenW (lpString="Appinfo") returned 7 [0034.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0034.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0034.275] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0034.275] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0034.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0034.275] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0034.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.276] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0034.276] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0034.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0034.276] lstrlenW (lpString="AudioSrv") returned 8 [0034.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0034.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0034.276] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0034.276] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0034.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0034.276] lstrlenW (lpString="BFE") returned 3 [0034.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0034.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0034.276] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0034.276] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0034.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0034.276] lstrlenW (lpString="CryptSvc") returned 8 [0034.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0034.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0034.276] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0034.276] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0034.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0034.276] lstrlenW (lpString="CscService") returned 10 [0034.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0034.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0034.276] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0034.276] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0034.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0034.276] lstrlenW (lpString="DcomLaunch") returned 10 [0034.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.276] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0034.276] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0034.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0034.276] lstrlenW (lpString="Dhcp") returned 4 [0034.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0034.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0034.277] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0034.277] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0034.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0034.277] lstrlenW (lpString="Dnscache") returned 8 [0034.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0034.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0034.277] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0034.277] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0034.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0034.277] lstrlenW (lpString="DPS") returned 3 [0034.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0034.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0034.277] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0034.277] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0034.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0034.277] lstrlenW (lpString="eventlog") returned 8 [0034.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0034.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0034.277] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0034.277] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0034.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0034.277] lstrlenW (lpString="EventSystem") returned 11 [0034.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0034.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0034.277] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0034.277] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0034.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0034.277] lstrlenW (lpString="gpsvc") returned 5 [0034.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0034.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0034.277] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0034.277] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0034.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0034.277] lstrlenW (lpString="iphlpsvc") returned 8 [0034.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.278] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0034.278] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0034.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0034.278] lstrlenW (lpString="LanmanServer") returned 12 [0034.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0034.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0034.278] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0034.278] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0034.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0034.278] lstrlenW (lpString="LanmanWorkstation") returned 17 [0034.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.278] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0034.278] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0034.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0034.278] lstrlenW (lpString="lmhosts") returned 7 [0034.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0034.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0034.278] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0034.278] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0034.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0034.278] lstrlenW (lpString="MMCSS") returned 5 [0034.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0034.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0034.278] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0034.278] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0034.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0034.278] lstrlenW (lpString="MpsSvc") returned 6 [0034.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0034.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0034.278] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0034.278] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0034.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0034.278] lstrlenW (lpString="Netman") returned 6 [0034.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0034.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0034.279] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0034.279] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0034.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0034.279] lstrlenW (lpString="netprofm") returned 8 [0034.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0034.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0034.279] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0034.279] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0034.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0034.279] lstrlenW (lpString="NlaSvc") returned 6 [0034.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0034.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0034.279] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0034.279] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0034.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0034.279] lstrlenW (lpString="nsi") returned 3 [0034.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0034.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0034.279] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0034.279] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0034.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0034.279] lstrlenW (lpString="PcaSvc") returned 6 [0034.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0034.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0034.279] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0034.279] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0034.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0034.279] lstrlenW (lpString="PlugPlay") returned 8 [0034.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0034.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0034.279] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0034.279] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0034.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0034.280] lstrlenW (lpString="Power") returned 5 [0034.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0034.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0034.280] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0034.280] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0034.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0034.280] lstrlenW (lpString="ProfSvc") returned 7 [0034.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0034.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0034.280] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0034.280] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0034.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0034.280] lstrlenW (lpString="RpcEptMapper") returned 12 [0034.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.281] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0034.281] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0034.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0034.281] lstrlenW (lpString="RpcSs") returned 5 [0034.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0034.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0034.281] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0034.281] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0034.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0034.281] lstrlenW (lpString="SamSs") returned 5 [0034.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0034.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0034.281] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0034.281] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0034.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0034.281] lstrlenW (lpString="Schedule") returned 8 [0034.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0034.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0034.281] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0034.281] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0034.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0034.281] lstrlenW (lpString="SENS") returned 4 [0034.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0034.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0034.281] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0034.281] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0034.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0034.281] lstrlenW (lpString="ShellHWDetection") returned 16 [0034.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.281] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0034.281] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0034.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0034.281] lstrlenW (lpString="Spooler") returned 7 [0034.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0034.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0034.282] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0034.282] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0034.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0034.282] lstrlenW (lpString="SysMain") returned 7 [0034.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0034.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0034.282] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0034.282] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0034.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0034.282] lstrlenW (lpString="Themes") returned 6 [0034.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0034.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0034.282] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0034.282] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0034.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0034.282] lstrlenW (lpString="TrkWks") returned 6 [0034.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0034.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0034.282] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0034.282] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0034.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0034.282] lstrlenW (lpString="UxSms") returned 5 [0034.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0034.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0034.282] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0034.282] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0034.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0034.282] lstrlenW (lpString="WdiServiceHost") returned 14 [0034.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.282] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0034.282] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0034.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0034.283] lstrlenW (lpString="WdiSystemHost") returned 13 [0034.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.283] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0034.283] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0034.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0034.283] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0034.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.283] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0034.283] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0034.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0034.283] lstrlenW (lpString="Winmgmt") returned 7 [0034.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0034.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0034.283] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0034.283] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0034.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0034.283] lstrlenW (lpString="WPDBusEnum") returned 10 [0034.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.283] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0034.283] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0034.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0034.283] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5530a8 | out: hHeap=0x500000) returned 1 [0034.284] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x114 [0034.287] Process32FirstW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0034.288] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0034.288] lstrlenW (lpString="System") returned 6 [0034.288] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0034.288] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0034.288] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0034.288] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0034.288] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0034.288] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0034.288] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0034.288] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0034.289] lstrlenW (lpString="smss.exe") returned 8 [0034.289] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0034.289] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0034.289] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0034.289] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0034.289] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0034.289] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0034.289] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0034.289] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.289] lstrlenW (lpString="csrss.exe") returned 9 [0034.289] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.289] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.289] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.289] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.289] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.290] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.290] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0034.290] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0034.290] lstrlenW (lpString="wininit.exe") returned 11 [0034.290] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0034.290] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0034.290] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0034.290] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0034.290] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0034.290] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0034.290] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0034.290] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.291] lstrlenW (lpString="csrss.exe") returned 9 [0034.291] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.291] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.291] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.291] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.291] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.291] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.291] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0034.292] lstrlenW (lpString="winlogon.exe") returned 12 [0034.292] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0034.292] lstrlenW (lpString="services.exe") returned 12 [0034.292] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0034.293] lstrlenW (lpString="lsass.exe") returned 9 [0034.293] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0034.293] lstrlenW (lpString="lsm.exe") returned 7 [0034.293] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.294] lstrlenW (lpString="svchost.exe") returned 11 [0034.294] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.294] lstrlenW (lpString="svchost.exe") returned 11 [0034.294] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.295] lstrlenW (lpString="svchost.exe") returned 11 [0034.295] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.295] lstrlenW (lpString="svchost.exe") returned 11 [0034.295] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.296] lstrlenW (lpString="svchost.exe") returned 11 [0034.296] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0034.296] lstrlenW (lpString="audiodg.exe") returned 11 [0034.296] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.297] lstrlenW (lpString="svchost.exe") returned 11 [0034.297] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.297] lstrlenW (lpString="svchost.exe") returned 11 [0034.298] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0034.298] lstrlenW (lpString="dwm.exe") returned 7 [0034.298] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0034.299] lstrlenW (lpString="explorer.exe") returned 12 [0034.299] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0034.299] lstrlenW (lpString="spoolsv.exe") returned 11 [0034.299] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.300] lstrlenW (lpString="svchost.exe") returned 11 [0034.300] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.300] lstrlenW (lpString="taskhost.exe") returned 12 [0034.300] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0034.301] lstrlenW (lpString="taskeng.exe") returned 11 [0034.301] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0034.301] lstrlenW (lpString="prime.exe") returned 9 [0034.301] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0034.302] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0034.302] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0034.302] lstrlenW (lpString="financing.exe") returned 13 [0034.302] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0034.303] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0034.303] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0034.303] lstrlenW (lpString="dg hit.exe") returned 10 [0034.304] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0034.304] lstrlenW (lpString="banners_drops.exe") returned 17 [0034.304] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0034.305] lstrlenW (lpString="vacuum.exe") returned 10 [0034.305] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0034.305] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0034.305] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0034.306] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0034.306] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0034.306] lstrlenW (lpString="holocauststored.exe") returned 19 [0034.306] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0034.307] lstrlenW (lpString="mini.exe") returned 8 [0034.307] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0034.307] lstrlenW (lpString="bi_tiny.exe") returned 11 [0034.307] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0034.308] lstrlenW (lpString="mall_drawn.exe") returned 14 [0034.308] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0034.308] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0034.308] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0034.309] lstrlenW (lpString="distributed.exe") returned 15 [0034.309] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0034.309] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0034.309] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0034.310] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0034.310] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0034.310] lstrlenW (lpString="3dftp.exe") returned 9 [0034.310] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0034.311] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0034.311] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0034.999] lstrlenW (lpString="alftp.exe") returned 9 [0035.045] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0035.045] lstrlenW (lpString="barca.exe") returned 9 [0035.045] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0035.046] lstrlenW (lpString="bitkinex.exe") returned 12 [0035.046] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0035.047] lstrlenW (lpString="coreftp.exe") returned 11 [0035.047] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0035.047] lstrlenW (lpString="far.exe") returned 7 [0035.047] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0035.048] lstrlenW (lpString="filezilla.exe") returned 13 [0035.048] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0035.048] lstrlenW (lpString="flashfxp.exe") returned 12 [0035.048] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0035.049] lstrlenW (lpString="fling.exe") returned 9 [0035.049] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0035.049] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0035.049] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0035.050] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0035.050] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0035.050] lstrlenW (lpString="icq.exe") returned 7 [0035.050] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0035.051] lstrlenW (lpString="leechftp.exe") returned 12 [0035.051] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0035.051] lstrlenW (lpString="ncftp.exe") returned 9 [0035.051] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0035.052] lstrlenW (lpString="notepad.exe") returned 11 [0035.052] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0035.052] lstrlenW (lpString="operamail.exe") returned 13 [0035.053] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0035.053] lstrlenW (lpString="pidgin.exe") returned 10 [0035.053] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0035.054] lstrlenW (lpString="scriptftp.exe") returned 13 [0035.054] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0035.055] lstrlenW (lpString="skype.exe") returned 9 [0035.055] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0035.056] lstrlenW (lpString="smartftp.exe") returned 12 [0035.056] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0035.057] lstrlenW (lpString="thunderbird.exe") returned 15 [0035.057] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0035.058] lstrlenW (lpString="totalcmd.exe") returned 12 [0035.058] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0035.058] lstrlenW (lpString="trillian.exe") returned 12 [0035.058] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0035.059] lstrlenW (lpString="webdrive.exe") returned 12 [0035.059] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0035.060] lstrlenW (lpString="whatsapp.exe") returned 12 [0035.060] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0035.061] lstrlenW (lpString="winscp.exe") returned 10 [0035.061] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0035.061] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0035.062] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0035.062] lstrlenW (lpString="active-charge.exe") returned 17 [0035.062] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0035.063] lstrlenW (lpString="accupos.exe") returned 11 [0035.063] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0035.064] lstrlenW (lpString="afr38.exe") returned 9 [0035.064] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0035.064] lstrlenW (lpString="aldelo.exe") returned 10 [0035.064] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0035.065] lstrlenW (lpString="ccv_server.exe") returned 14 [0035.065] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0035.066] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0035.066] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0035.066] lstrlenW (lpString="creditservice.exe") returned 17 [0035.067] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0035.067] lstrlenW (lpString="edcsvr.exe") returned 10 [0035.067] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0035.068] lstrlenW (lpString="fpos.exe") returned 8 [0035.068] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0035.069] lstrlenW (lpString="isspos.exe") returned 10 [0035.069] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0035.069] lstrlenW (lpString="mxslipstream.exe") returned 16 [0035.069] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0035.070] lstrlenW (lpString="omnipos.exe") returned 11 [0035.070] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0035.070] lstrlenW (lpString="spcwin.exe") returned 10 [0035.071] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0035.071] lstrlenW (lpString="spgagentservice.exe") returned 19 [0035.071] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0035.072] lstrlenW (lpString="utg2.exe") returned 8 [0035.072] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0035.072] lstrlenW (lpString="focuses.exe") returned 11 [0035.072] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0035.073] lstrlenW (lpString="fi fence.exe") returned 12 [0035.073] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0035.074] lstrlenW (lpString="knight.exe") returned 10 [0035.074] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0035.074] lstrlenW (lpString="library.exe") returned 11 [0035.074] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0035.075] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0035.075] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0035.084] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0035.085] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.088] lstrlenW (lpString="taskhost.exe") returned 12 [0035.088] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0035.177] lstrlenW (lpString="dllhost.exe") returned 11 [0035.178] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0035.178] lstrlenW (lpString="dllhost.exe") returned 11 [0035.178] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0035.179] lstrlenW (lpString="winhost.exe") returned 11 [0035.179] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0035.179] lstrlenW (lpString="cmd.exe") returned 7 [0035.179] Process32NextW (in: hSnapshot=0x114, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0035.180] CloseHandle (hObject=0x114) returned 1 [0035.180] Sleep (dwMilliseconds=0x1f4) [0037.108] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a35b0 [0037.108] EnumServicesStatusExW (in: hSCManager=0x5a35b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0037.109] GetLastError () returned 0xea [0037.109] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11e4) returned 0x3771078 [0037.109] EnumServicesStatusExW (in: hSCManager=0x5a35b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3771078, cbBufSize=0x11e4, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3771078, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0037.110] CloseServiceHandle (hSCObject=0x5a35b0) returned 1 [0037.110] lstrlenW (lpString="Appinfo") returned 7 [0037.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0037.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0037.110] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0037.110] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0037.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0037.110] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0037.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.110] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0037.110] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0037.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0037.110] lstrlenW (lpString="AudioSrv") returned 8 [0037.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0037.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0037.110] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0037.110] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0037.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0037.110] lstrlenW (lpString="BFE") returned 3 [0037.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0037.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0037.110] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0037.110] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0037.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0037.110] lstrlenW (lpString="CryptSvc") returned 8 [0037.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0037.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0037.111] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0037.111] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0037.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0037.111] lstrlenW (lpString="CscService") returned 10 [0037.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0037.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0037.111] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0037.111] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0037.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0037.111] lstrlenW (lpString="DcomLaunch") returned 10 [0037.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.111] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0037.111] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0037.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0037.111] lstrlenW (lpString="Dhcp") returned 4 [0037.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0037.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0037.111] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0037.111] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0037.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0037.111] lstrlenW (lpString="Dnscache") returned 8 [0037.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0037.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0037.111] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0037.111] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0037.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0037.111] lstrlenW (lpString="DPS") returned 3 [0037.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0037.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0037.111] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0037.111] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0037.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0037.111] lstrlenW (lpString="eventlog") returned 8 [0037.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0037.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0037.112] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0037.112] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0037.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0037.112] lstrlenW (lpString="EventSystem") returned 11 [0037.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0037.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0037.112] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0037.112] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0037.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0037.112] lstrlenW (lpString="gpsvc") returned 5 [0037.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0037.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0037.112] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0037.112] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0037.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0037.112] lstrlenW (lpString="iphlpsvc") returned 8 [0037.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.112] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0037.112] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0037.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0037.112] lstrlenW (lpString="LanmanServer") returned 12 [0037.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0037.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0037.112] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0037.112] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0037.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0037.112] lstrlenW (lpString="LanmanWorkstation") returned 17 [0037.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.112] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0037.112] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0037.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0037.112] lstrlenW (lpString="lmhosts") returned 7 [0037.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0037.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0037.112] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0037.113] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0037.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0037.113] lstrlenW (lpString="MMCSS") returned 5 [0037.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0037.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0037.113] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0037.113] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0037.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0037.113] lstrlenW (lpString="MpsSvc") returned 6 [0037.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0037.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0037.113] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0037.113] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0037.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0037.113] lstrlenW (lpString="Netman") returned 6 [0037.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0037.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0037.113] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0037.113] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0037.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0037.113] lstrlenW (lpString="netprofm") returned 8 [0037.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0037.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0037.113] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0037.113] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0037.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0037.113] lstrlenW (lpString="NlaSvc") returned 6 [0037.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0037.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0037.113] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0037.113] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0037.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0037.113] lstrlenW (lpString="nsi") returned 3 [0037.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0037.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0037.113] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0037.113] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0037.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0037.114] lstrlenW (lpString="PcaSvc") returned 6 [0037.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0037.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0037.114] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0037.114] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0037.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0037.114] lstrlenW (lpString="PlugPlay") returned 8 [0037.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0037.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0037.114] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0037.114] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0037.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0037.114] lstrlenW (lpString="Power") returned 5 [0037.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0037.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0037.114] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0037.114] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0037.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0037.114] lstrlenW (lpString="ProfSvc") returned 7 [0037.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0037.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0037.114] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0037.114] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0037.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0037.114] lstrlenW (lpString="RpcEptMapper") returned 12 [0037.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.114] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0037.114] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0037.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0037.114] lstrlenW (lpString="RpcSs") returned 5 [0037.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0037.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0037.114] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0037.114] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0037.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0037.115] lstrlenW (lpString="SamSs") returned 5 [0037.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0037.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0037.115] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0037.115] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0037.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0037.115] lstrlenW (lpString="Schedule") returned 8 [0037.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0037.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0037.115] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0037.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0037.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0037.115] lstrlenW (lpString="SENS") returned 4 [0037.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0037.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0037.115] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0037.115] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0037.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0037.115] lstrlenW (lpString="ShellHWDetection") returned 16 [0037.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.115] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0037.115] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0037.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0037.115] lstrlenW (lpString="Spooler") returned 7 [0037.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0037.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0037.115] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0037.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0037.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0037.115] lstrlenW (lpString="SysMain") returned 7 [0037.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0037.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0037.116] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0037.116] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0037.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0037.116] lstrlenW (lpString="Themes") returned 6 [0037.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0037.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0037.116] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0037.116] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0037.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0037.116] lstrlenW (lpString="TrkWks") returned 6 [0037.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0037.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0037.116] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0037.116] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0037.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0037.116] lstrlenW (lpString="UxSms") returned 5 [0037.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0037.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0037.116] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0037.116] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0037.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0037.116] lstrlenW (lpString="WdiServiceHost") returned 14 [0037.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.116] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0037.116] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0037.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0037.116] lstrlenW (lpString="WdiSystemHost") returned 13 [0037.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.116] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0037.116] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0037.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0037.116] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0037.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.117] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0037.117] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0037.117] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0037.117] lstrlenW (lpString="Winmgmt") returned 7 [0037.117] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0037.117] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0037.117] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0037.117] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0037.117] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0037.117] lstrlenW (lpString="WPDBusEnum") returned 10 [0037.117] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.117] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.117] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0037.117] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0037.117] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0037.117] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3771078 | out: hHeap=0x500000) returned 1 [0037.117] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x16c [0037.122] Process32FirstW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0037.123] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0037.123] lstrlenW (lpString="System") returned 6 [0037.123] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0037.123] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0037.123] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0037.123] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0037.123] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0037.123] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0037.123] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0037.123] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0037.124] lstrlenW (lpString="smss.exe") returned 8 [0037.124] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0037.124] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0037.124] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0037.124] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0037.124] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0037.124] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0037.124] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0037.124] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.125] lstrlenW (lpString="csrss.exe") returned 9 [0037.125] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.125] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0037.125] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0037.125] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0037.125] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0037.125] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0037.125] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0037.125] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0037.125] lstrlenW (lpString="wininit.exe") returned 11 [0037.125] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0037.125] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0037.125] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0037.125] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0037.125] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0037.125] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0037.125] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0037.125] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.126] lstrlenW (lpString="csrss.exe") returned 9 [0037.126] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.126] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0037.126] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0037.126] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0037.126] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0037.126] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0037.126] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0037.127] lstrlenW (lpString="winlogon.exe") returned 12 [0037.127] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0037.127] lstrlenW (lpString="services.exe") returned 12 [0037.127] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0037.128] lstrlenW (lpString="lsass.exe") returned 9 [0037.128] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0037.128] lstrlenW (lpString="lsm.exe") returned 7 [0037.128] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.129] lstrlenW (lpString="svchost.exe") returned 11 [0037.129] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.129] lstrlenW (lpString="svchost.exe") returned 11 [0037.129] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.130] lstrlenW (lpString="svchost.exe") returned 11 [0037.130] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.130] lstrlenW (lpString="svchost.exe") returned 11 [0037.130] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.131] lstrlenW (lpString="svchost.exe") returned 11 [0037.131] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0037.131] lstrlenW (lpString="audiodg.exe") returned 11 [0037.131] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.132] lstrlenW (lpString="svchost.exe") returned 11 [0037.132] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.132] lstrlenW (lpString="svchost.exe") returned 11 [0037.132] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0037.133] lstrlenW (lpString="dwm.exe") returned 7 [0037.133] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0037.133] lstrlenW (lpString="explorer.exe") returned 12 [0037.133] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0037.134] lstrlenW (lpString="spoolsv.exe") returned 11 [0037.134] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.134] lstrlenW (lpString="svchost.exe") returned 11 [0037.134] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.135] lstrlenW (lpString="taskhost.exe") returned 12 [0037.135] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0037.135] lstrlenW (lpString="taskeng.exe") returned 11 [0037.135] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0037.136] lstrlenW (lpString="prime.exe") returned 9 [0037.136] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0037.136] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0037.137] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0037.137] lstrlenW (lpString="financing.exe") returned 13 [0037.137] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0037.137] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0037.137] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0037.138] lstrlenW (lpString="dg hit.exe") returned 10 [0037.138] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0037.138] lstrlenW (lpString="banners_drops.exe") returned 17 [0037.138] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0037.139] lstrlenW (lpString="vacuum.exe") returned 10 [0037.139] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0037.139] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0037.139] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0037.140] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0037.140] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0037.140] lstrlenW (lpString="holocauststored.exe") returned 19 [0037.140] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0037.141] lstrlenW (lpString="mini.exe") returned 8 [0037.141] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0037.141] lstrlenW (lpString="bi_tiny.exe") returned 11 [0037.141] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0037.142] lstrlenW (lpString="mall_drawn.exe") returned 14 [0037.142] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0037.142] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0037.142] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0037.143] lstrlenW (lpString="distributed.exe") returned 15 [0037.143] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0037.143] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0037.143] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0037.144] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0037.144] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0037.144] lstrlenW (lpString="3dftp.exe") returned 9 [0037.144] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0037.145] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0037.145] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0037.145] lstrlenW (lpString="alftp.exe") returned 9 [0037.145] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0037.146] lstrlenW (lpString="barca.exe") returned 9 [0037.146] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0037.146] lstrlenW (lpString="bitkinex.exe") returned 12 [0037.146] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0037.147] lstrlenW (lpString="coreftp.exe") returned 11 [0037.147] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0037.147] lstrlenW (lpString="far.exe") returned 7 [0037.147] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0037.148] lstrlenW (lpString="filezilla.exe") returned 13 [0037.148] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0037.148] lstrlenW (lpString="flashfxp.exe") returned 12 [0037.148] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0037.149] lstrlenW (lpString="fling.exe") returned 9 [0037.149] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0037.149] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0037.149] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0037.150] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0037.150] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0037.153] lstrlenW (lpString="icq.exe") returned 7 [0037.153] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0037.153] lstrlenW (lpString="leechftp.exe") returned 12 [0037.153] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0037.154] lstrlenW (lpString="ncftp.exe") returned 9 [0037.154] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0037.154] lstrlenW (lpString="notepad.exe") returned 11 [0037.154] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0037.155] lstrlenW (lpString="operamail.exe") returned 13 [0037.155] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0037.155] lstrlenW (lpString="pidgin.exe") returned 10 [0037.155] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0037.156] lstrlenW (lpString="scriptftp.exe") returned 13 [0037.156] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0037.157] lstrlenW (lpString="skype.exe") returned 9 [0037.157] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0037.158] lstrlenW (lpString="smartftp.exe") returned 12 [0037.158] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0037.158] lstrlenW (lpString="thunderbird.exe") returned 15 [0037.159] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0037.159] lstrlenW (lpString="totalcmd.exe") returned 12 [0037.159] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0037.160] lstrlenW (lpString="trillian.exe") returned 12 [0037.160] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0037.161] lstrlenW (lpString="webdrive.exe") returned 12 [0037.161] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0037.162] lstrlenW (lpString="whatsapp.exe") returned 12 [0037.162] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0037.162] lstrlenW (lpString="winscp.exe") returned 10 [0037.162] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0037.163] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0037.163] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0037.164] lstrlenW (lpString="active-charge.exe") returned 17 [0037.164] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0037.165] lstrlenW (lpString="accupos.exe") returned 11 [0037.165] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0037.165] lstrlenW (lpString="afr38.exe") returned 9 [0037.165] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0037.166] lstrlenW (lpString="aldelo.exe") returned 10 [0037.166] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0037.167] lstrlenW (lpString="ccv_server.exe") returned 14 [0037.167] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0037.168] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0037.168] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0037.168] lstrlenW (lpString="creditservice.exe") returned 17 [0037.168] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0037.169] lstrlenW (lpString="edcsvr.exe") returned 10 [0037.169] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0037.170] lstrlenW (lpString="fpos.exe") returned 8 [0037.170] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0037.170] lstrlenW (lpString="isspos.exe") returned 10 [0037.170] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0037.171] lstrlenW (lpString="mxslipstream.exe") returned 16 [0037.171] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0037.172] lstrlenW (lpString="omnipos.exe") returned 11 [0037.172] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0037.172] lstrlenW (lpString="spcwin.exe") returned 10 [0037.172] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0037.173] lstrlenW (lpString="spgagentservice.exe") returned 19 [0037.173] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0037.174] lstrlenW (lpString="utg2.exe") returned 8 [0037.174] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0037.174] lstrlenW (lpString="focuses.exe") returned 11 [0037.174] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0037.175] lstrlenW (lpString="fi fence.exe") returned 12 [0037.175] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0037.176] lstrlenW (lpString="knight.exe") returned 10 [0037.176] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0037.176] lstrlenW (lpString="library.exe") returned 11 [0037.176] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0037.177] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0037.177] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0037.177] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0037.177] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.178] lstrlenW (lpString="taskhost.exe") returned 12 [0037.178] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.179] lstrlenW (lpString="dllhost.exe") returned 11 [0037.179] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.179] lstrlenW (lpString="dllhost.exe") returned 11 [0037.179] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0037.180] lstrlenW (lpString="winhost.exe") returned 11 [0037.180] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0037.181] lstrlenW (lpString="cmd.exe") returned 7 [0037.181] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0037.181] lstrlenW (lpString="conhost.exe") returned 11 [0037.181] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0037.182] lstrlenW (lpString="mode.com") returned 8 [0037.182] Process32NextW (in: hSnapshot=0x16c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0037.182] CloseHandle (hObject=0x16c) returned 1 [0037.182] Sleep (dwMilliseconds=0x1f4) [0038.042] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3628 [0038.042] EnumServicesStatusExW (in: hSCManager=0x5a3628, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0038.043] GetLastError () returned 0xea [0038.043] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11e4) returned 0x3817440 [0038.043] EnumServicesStatusExW (in: hSCManager=0x5a3628, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3817440, cbBufSize=0x11e4, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3817440, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0038.043] CloseServiceHandle (hSCObject=0x5a3628) returned 1 [0038.043] lstrlenW (lpString="Appinfo") returned 7 [0038.043] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0038.043] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0038.043] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0038.044] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0038.044] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0038.044] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0038.044] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.044] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.044] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0038.044] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0038.044] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0038.044] lstrlenW (lpString="AudioSrv") returned 8 [0038.044] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0038.044] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0038.044] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0038.044] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0038.044] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0038.044] lstrlenW (lpString="BFE") returned 3 [0038.044] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0038.044] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0038.044] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0038.044] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0038.044] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0038.044] lstrlenW (lpString="CryptSvc") returned 8 [0038.044] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0038.044] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0038.044] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0038.044] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0038.044] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0038.044] lstrlenW (lpString="CscService") returned 10 [0038.044] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0038.044] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0038.044] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0038.044] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0038.044] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0038.044] lstrlenW (lpString="DcomLaunch") returned 10 [0038.044] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.044] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.044] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0038.044] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0038.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0038.045] lstrlenW (lpString="Dhcp") returned 4 [0038.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0038.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0038.045] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0038.045] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0038.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0038.045] lstrlenW (lpString="Dnscache") returned 8 [0038.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0038.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0038.045] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0038.045] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0038.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0038.045] lstrlenW (lpString="DPS") returned 3 [0038.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0038.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0038.045] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0038.045] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0038.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0038.045] lstrlenW (lpString="eventlog") returned 8 [0038.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0038.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0038.045] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0038.045] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0038.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0038.045] lstrlenW (lpString="EventSystem") returned 11 [0038.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0038.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0038.045] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0038.045] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0038.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0038.045] lstrlenW (lpString="gpsvc") returned 5 [0038.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0038.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0038.045] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0038.045] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0038.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0038.046] lstrlenW (lpString="iphlpsvc") returned 8 [0038.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.046] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0038.046] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0038.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0038.046] lstrlenW (lpString="LanmanServer") returned 12 [0038.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0038.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0038.046] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0038.046] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0038.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0038.046] lstrlenW (lpString="LanmanWorkstation") returned 17 [0038.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.046] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0038.046] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0038.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0038.046] lstrlenW (lpString="lmhosts") returned 7 [0038.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0038.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0038.046] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0038.046] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0038.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0038.046] lstrlenW (lpString="MMCSS") returned 5 [0038.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0038.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0038.046] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0038.046] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0038.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0038.046] lstrlenW (lpString="MpsSvc") returned 6 [0038.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0038.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0038.046] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0038.046] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0038.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0038.046] lstrlenW (lpString="Netman") returned 6 [0038.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0038.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0038.047] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0038.047] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0038.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0038.047] lstrlenW (lpString="netprofm") returned 8 [0038.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0038.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0038.047] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0038.047] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0038.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0038.047] lstrlenW (lpString="NlaSvc") returned 6 [0038.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0038.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0038.047] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0038.047] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0038.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0038.047] lstrlenW (lpString="nsi") returned 3 [0038.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0038.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0038.047] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0038.047] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0038.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0038.047] lstrlenW (lpString="PcaSvc") returned 6 [0038.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0038.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0038.047] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0038.047] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0038.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0038.047] lstrlenW (lpString="PlugPlay") returned 8 [0038.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0038.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0038.047] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0038.047] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0038.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0038.047] lstrlenW (lpString="Power") returned 5 [0038.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0038.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0038.048] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0038.048] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0038.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0038.048] lstrlenW (lpString="ProfSvc") returned 7 [0038.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0038.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0038.048] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0038.048] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0038.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0038.048] lstrlenW (lpString="RpcEptMapper") returned 12 [0038.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.048] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0038.048] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0038.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0038.048] lstrlenW (lpString="RpcSs") returned 5 [0038.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0038.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0038.048] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0038.048] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0038.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0038.048] lstrlenW (lpString="SamSs") returned 5 [0038.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0038.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0038.048] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0038.048] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0038.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0038.048] lstrlenW (lpString="Schedule") returned 8 [0038.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0038.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0038.048] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0038.048] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0038.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0038.048] lstrlenW (lpString="SENS") returned 4 [0038.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0038.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0038.049] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0038.049] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0038.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0038.049] lstrlenW (lpString="ShellHWDetection") returned 16 [0038.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.049] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0038.049] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0038.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0038.049] lstrlenW (lpString="Spooler") returned 7 [0038.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0038.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0038.049] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0038.049] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0038.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0038.049] lstrlenW (lpString="SysMain") returned 7 [0038.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0038.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0038.049] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0038.049] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0038.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0038.049] lstrlenW (lpString="Themes") returned 6 [0038.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0038.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0038.049] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0038.049] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0038.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0038.049] lstrlenW (lpString="TrkWks") returned 6 [0038.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0038.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0038.049] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0038.049] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0038.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0038.049] lstrlenW (lpString="UxSms") returned 5 [0038.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0038.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0038.050] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0038.050] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0038.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0038.050] lstrlenW (lpString="WdiServiceHost") returned 14 [0038.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.050] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0038.050] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0038.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0038.050] lstrlenW (lpString="WdiSystemHost") returned 13 [0038.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.050] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0038.050] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0038.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0038.050] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0038.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.050] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0038.050] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0038.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0038.050] lstrlenW (lpString="Winmgmt") returned 7 [0038.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0038.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0038.050] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0038.050] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0038.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0038.050] lstrlenW (lpString="WPDBusEnum") returned 10 [0038.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.050] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0038.050] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0038.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0038.050] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3817440 | out: hHeap=0x500000) returned 1 [0038.050] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b0 [0038.053] Process32FirstW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0038.054] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0038.054] lstrlenW (lpString="System") returned 6 [0038.054] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0038.054] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0038.054] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0038.054] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0038.054] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0038.054] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0038.054] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0038.054] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0038.055] lstrlenW (lpString="smss.exe") returned 8 [0038.055] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0038.055] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0038.055] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0038.055] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0038.055] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0038.055] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0038.055] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0038.055] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.056] lstrlenW (lpString="csrss.exe") returned 9 [0038.056] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.056] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0038.056] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0038.056] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0038.056] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0038.056] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0038.056] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0038.056] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0038.056] lstrlenW (lpString="wininit.exe") returned 11 [0038.056] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0038.056] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0038.057] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0038.057] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0038.057] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0038.057] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0038.057] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0038.057] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.057] lstrlenW (lpString="csrss.exe") returned 9 [0038.057] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.057] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0038.057] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0038.057] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0038.057] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0038.057] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0038.057] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0038.058] lstrlenW (lpString="winlogon.exe") returned 12 [0038.058] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0038.058] lstrlenW (lpString="services.exe") returned 12 [0038.058] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0038.059] lstrlenW (lpString="lsass.exe") returned 9 [0038.059] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0038.059] lstrlenW (lpString="lsm.exe") returned 7 [0038.059] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.078] lstrlenW (lpString="svchost.exe") returned 11 [0038.078] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.079] lstrlenW (lpString="svchost.exe") returned 11 [0038.079] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.079] lstrlenW (lpString="svchost.exe") returned 11 [0038.080] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.080] lstrlenW (lpString="svchost.exe") returned 11 [0038.080] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.269] lstrlenW (lpString="svchost.exe") returned 11 [0038.269] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0038.286] lstrlenW (lpString="audiodg.exe") returned 11 [0038.286] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.287] lstrlenW (lpString="svchost.exe") returned 11 [0038.287] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.287] lstrlenW (lpString="svchost.exe") returned 11 [0038.287] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0038.288] lstrlenW (lpString="dwm.exe") returned 7 [0038.288] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0038.288] lstrlenW (lpString="explorer.exe") returned 12 [0038.288] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0038.289] lstrlenW (lpString="spoolsv.exe") returned 11 [0038.289] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.289] lstrlenW (lpString="svchost.exe") returned 11 [0038.289] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.290] lstrlenW (lpString="taskhost.exe") returned 12 [0038.290] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0038.290] lstrlenW (lpString="taskeng.exe") returned 11 [0038.290] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0038.291] lstrlenW (lpString="prime.exe") returned 9 [0038.291] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0038.291] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0038.291] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0038.292] lstrlenW (lpString="financing.exe") returned 13 [0038.292] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0038.292] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0038.292] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0038.293] lstrlenW (lpString="dg hit.exe") returned 10 [0038.293] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0038.293] lstrlenW (lpString="banners_drops.exe") returned 17 [0038.293] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0038.294] lstrlenW (lpString="vacuum.exe") returned 10 [0038.294] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0038.294] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0038.294] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0038.295] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0038.295] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0038.295] lstrlenW (lpString="holocauststored.exe") returned 19 [0038.295] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0038.296] lstrlenW (lpString="mini.exe") returned 8 [0038.296] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0038.296] lstrlenW (lpString="bi_tiny.exe") returned 11 [0038.297] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0038.297] lstrlenW (lpString="mall_drawn.exe") returned 14 [0038.297] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0038.298] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0038.298] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0038.298] lstrlenW (lpString="distributed.exe") returned 15 [0038.298] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0038.299] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0038.299] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0038.299] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0038.299] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0038.300] lstrlenW (lpString="3dftp.exe") returned 9 [0038.300] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0038.300] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0038.300] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0038.301] lstrlenW (lpString="alftp.exe") returned 9 [0038.301] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0038.302] lstrlenW (lpString="barca.exe") returned 9 [0038.302] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0038.302] lstrlenW (lpString="bitkinex.exe") returned 12 [0038.302] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0038.303] lstrlenW (lpString="coreftp.exe") returned 11 [0038.303] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0038.303] lstrlenW (lpString="far.exe") returned 7 [0038.303] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0038.304] lstrlenW (lpString="filezilla.exe") returned 13 [0038.304] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0038.304] lstrlenW (lpString="flashfxp.exe") returned 12 [0038.304] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0038.493] lstrlenW (lpString="fling.exe") returned 9 [0038.493] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0038.493] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0038.493] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0038.494] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0038.494] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0038.494] lstrlenW (lpString="icq.exe") returned 7 [0038.494] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0038.495] lstrlenW (lpString="leechftp.exe") returned 12 [0038.495] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0038.495] lstrlenW (lpString="ncftp.exe") returned 9 [0038.495] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0038.504] lstrlenW (lpString="notepad.exe") returned 11 [0038.504] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0038.505] lstrlenW (lpString="operamail.exe") returned 13 [0038.505] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0038.523] lstrlenW (lpString="pidgin.exe") returned 10 [0038.523] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0038.524] lstrlenW (lpString="scriptftp.exe") returned 13 [0038.524] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0038.525] lstrlenW (lpString="skype.exe") returned 9 [0038.525] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0038.526] lstrlenW (lpString="smartftp.exe") returned 12 [0038.526] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0038.526] lstrlenW (lpString="thunderbird.exe") returned 15 [0038.527] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0038.527] lstrlenW (lpString="totalcmd.exe") returned 12 [0038.527] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0038.528] lstrlenW (lpString="trillian.exe") returned 12 [0038.528] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0038.529] lstrlenW (lpString="webdrive.exe") returned 12 [0038.529] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0038.530] lstrlenW (lpString="whatsapp.exe") returned 12 [0038.530] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0038.530] lstrlenW (lpString="winscp.exe") returned 10 [0038.530] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0038.531] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0038.531] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0038.532] lstrlenW (lpString="active-charge.exe") returned 17 [0038.532] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0038.533] lstrlenW (lpString="accupos.exe") returned 11 [0038.533] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0038.533] lstrlenW (lpString="afr38.exe") returned 9 [0038.533] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0038.534] lstrlenW (lpString="aldelo.exe") returned 10 [0038.534] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0038.535] lstrlenW (lpString="ccv_server.exe") returned 14 [0038.535] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0038.536] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0038.536] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0038.536] lstrlenW (lpString="creditservice.exe") returned 17 [0038.536] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0038.537] lstrlenW (lpString="edcsvr.exe") returned 10 [0038.537] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0038.538] lstrlenW (lpString="fpos.exe") returned 8 [0038.538] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0038.538] lstrlenW (lpString="isspos.exe") returned 10 [0038.538] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0038.539] lstrlenW (lpString="mxslipstream.exe") returned 16 [0038.539] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0038.540] lstrlenW (lpString="omnipos.exe") returned 11 [0038.540] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0038.541] lstrlenW (lpString="spcwin.exe") returned 10 [0038.541] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0038.541] lstrlenW (lpString="spgagentservice.exe") returned 19 [0038.541] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0038.542] lstrlenW (lpString="utg2.exe") returned 8 [0038.542] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0038.543] lstrlenW (lpString="focuses.exe") returned 11 [0038.543] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0038.543] lstrlenW (lpString="fi fence.exe") returned 12 [0038.543] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0038.544] lstrlenW (lpString="knight.exe") returned 10 [0038.544] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0038.545] lstrlenW (lpString="library.exe") returned 11 [0038.545] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0038.545] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0038.545] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0038.546] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0038.546] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.547] lstrlenW (lpString="taskhost.exe") returned 12 [0038.547] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.547] lstrlenW (lpString="dllhost.exe") returned 11 [0038.547] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.548] lstrlenW (lpString="dllhost.exe") returned 11 [0038.548] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0038.548] lstrlenW (lpString="winhost.exe") returned 11 [0038.548] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0038.549] lstrlenW (lpString="cmd.exe") returned 7 [0038.549] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0038.550] lstrlenW (lpString="conhost.exe") returned 11 [0038.550] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0038.550] lstrlenW (lpString="mode.com") returned 8 [0038.550] Process32NextW (in: hSnapshot=0x1b0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0038.551] CloseHandle (hObject=0x1b0) returned 1 [0038.551] Sleep (dwMilliseconds=0x1f4) [0039.363] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3a88 [0039.363] EnumServicesStatusExW (in: hSCManager=0x5a3a88, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0039.364] GetLastError () returned 0xea [0039.364] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11e4) returned 0x381d358 [0039.364] EnumServicesStatusExW (in: hSCManager=0x5a3a88, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x381d358, cbBufSize=0x11e4, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x381d358, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0039.364] CloseServiceHandle (hSCObject=0x5a3a88) returned 1 [0039.365] lstrlenW (lpString="Appinfo") returned 7 [0039.365] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0039.365] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0039.365] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0039.365] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0039.365] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0039.365] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0039.365] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.365] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.365] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0039.365] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0039.365] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0039.365] lstrlenW (lpString="AudioSrv") returned 8 [0039.365] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0039.365] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0039.365] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0039.365] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0039.365] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0039.365] lstrlenW (lpString="BFE") returned 3 [0039.365] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0039.365] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0039.365] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0039.365] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0039.366] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0039.366] lstrlenW (lpString="CryptSvc") returned 8 [0039.366] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0039.366] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0039.366] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0039.366] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0039.366] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0039.366] lstrlenW (lpString="CscService") returned 10 [0039.366] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0039.366] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0039.366] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0039.366] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0039.366] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0039.366] lstrlenW (lpString="DcomLaunch") returned 10 [0039.366] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.366] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.366] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0039.366] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0039.366] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0039.366] lstrlenW (lpString="Dhcp") returned 4 [0039.366] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0039.366] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0039.366] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0039.366] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0039.366] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0039.366] lstrlenW (lpString="Dnscache") returned 8 [0039.366] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0039.366] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0039.366] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0039.366] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0039.366] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0039.366] lstrlenW (lpString="DPS") returned 3 [0039.366] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0039.366] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0039.366] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0039.366] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0039.366] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0039.367] lstrlenW (lpString="eventlog") returned 8 [0039.367] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0039.367] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0039.367] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0039.367] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0039.367] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0039.367] lstrlenW (lpString="EventSystem") returned 11 [0039.367] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0039.367] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0039.367] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0039.367] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0039.367] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0039.367] lstrlenW (lpString="gpsvc") returned 5 [0039.367] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0039.367] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0039.367] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0039.367] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0039.367] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0039.367] lstrlenW (lpString="iphlpsvc") returned 8 [0039.367] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.367] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.367] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0039.367] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0039.367] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0039.367] lstrlenW (lpString="LanmanServer") returned 12 [0039.367] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0039.367] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0039.367] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0039.367] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0039.367] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0039.367] lstrlenW (lpString="LanmanWorkstation") returned 17 [0039.367] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.367] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.367] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0039.367] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0039.367] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0039.368] lstrlenW (lpString="lmhosts") returned 7 [0039.368] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0039.368] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0039.368] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0039.368] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0039.368] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0039.368] lstrlenW (lpString="MMCSS") returned 5 [0039.368] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0039.368] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0039.368] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0039.368] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0039.368] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0039.368] lstrlenW (lpString="MpsSvc") returned 6 [0039.368] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0039.368] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0039.368] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0039.368] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0039.368] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0039.368] lstrlenW (lpString="Netman") returned 6 [0039.368] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0039.368] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0039.368] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0039.368] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0039.368] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0039.368] lstrlenW (lpString="netprofm") returned 8 [0039.368] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0039.368] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0039.368] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0039.368] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0039.368] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0039.368] lstrlenW (lpString="NlaSvc") returned 6 [0039.368] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0039.368] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0039.368] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0039.368] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0039.368] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0039.368] lstrlenW (lpString="nsi") returned 3 [0039.369] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0039.369] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0039.369] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0039.369] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0039.369] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0039.369] lstrlenW (lpString="PcaSvc") returned 6 [0039.369] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0039.369] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0039.369] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0039.369] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0039.369] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0039.369] lstrlenW (lpString="PlugPlay") returned 8 [0039.369] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0039.369] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0039.369] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0039.369] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0039.369] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0039.369] lstrlenW (lpString="Power") returned 5 [0039.369] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0039.369] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0039.369] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0039.369] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0039.369] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0039.369] lstrlenW (lpString="ProfSvc") returned 7 [0039.369] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0039.369] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0039.369] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0039.369] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0039.369] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0039.369] lstrlenW (lpString="RpcEptMapper") returned 12 [0039.369] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.369] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.369] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0039.369] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0039.369] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0039.369] lstrlenW (lpString="RpcSs") returned 5 [0039.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0039.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0039.370] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0039.370] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0039.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0039.370] lstrlenW (lpString="SamSs") returned 5 [0039.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0039.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0039.370] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0039.370] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0039.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0039.370] lstrlenW (lpString="Schedule") returned 8 [0039.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0039.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0039.370] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0039.370] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0039.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0039.370] lstrlenW (lpString="SENS") returned 4 [0039.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0039.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0039.370] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0039.370] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0039.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0039.370] lstrlenW (lpString="ShellHWDetection") returned 16 [0039.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.370] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0039.370] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0039.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0039.370] lstrlenW (lpString="Spooler") returned 7 [0039.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0039.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0039.370] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0039.370] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0039.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0039.370] lstrlenW (lpString="SysMain") returned 7 [0039.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0039.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0039.371] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0039.371] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0039.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0039.371] lstrlenW (lpString="Themes") returned 6 [0039.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0039.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0039.371] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0039.371] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0039.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0039.371] lstrlenW (lpString="TrkWks") returned 6 [0039.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0039.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0039.371] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0039.371] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0039.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0039.371] lstrlenW (lpString="UxSms") returned 5 [0039.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0039.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0039.371] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0039.371] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0039.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0039.371] lstrlenW (lpString="WdiServiceHost") returned 14 [0039.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.371] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0039.371] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0039.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0039.371] lstrlenW (lpString="WdiSystemHost") returned 13 [0039.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.371] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0039.371] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0039.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0039.371] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0039.372] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.372] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.372] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0039.372] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0039.372] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0039.372] lstrlenW (lpString="Winmgmt") returned 7 [0039.372] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0039.372] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0039.372] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0039.372] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0039.372] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0039.372] lstrlenW (lpString="WPDBusEnum") returned 10 [0039.372] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.372] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.372] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0039.372] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0039.372] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0039.372] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x381d358 | out: hHeap=0x500000) returned 1 [0039.372] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e4 [0039.375] Process32FirstW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0039.376] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0039.376] lstrlenW (lpString="System") returned 6 [0039.376] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0039.376] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0039.376] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0039.376] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0039.376] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0039.376] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0039.376] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0039.376] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0039.377] lstrlenW (lpString="smss.exe") returned 8 [0039.377] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0039.377] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0039.377] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0039.377] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0039.377] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0039.377] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0039.377] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0039.377] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.377] lstrlenW (lpString="csrss.exe") returned 9 [0039.377] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.377] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0039.377] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0039.378] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0039.378] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0039.378] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0039.378] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0039.378] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0039.378] lstrlenW (lpString="wininit.exe") returned 11 [0039.378] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0039.378] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0039.378] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0039.378] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0039.378] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0039.378] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0039.378] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0039.378] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.379] lstrlenW (lpString="csrss.exe") returned 9 [0039.379] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.379] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0039.379] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0039.379] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0039.379] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0039.379] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0039.379] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0039.380] lstrlenW (lpString="winlogon.exe") returned 12 [0039.380] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0039.380] lstrlenW (lpString="services.exe") returned 12 [0039.380] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0039.381] lstrlenW (lpString="lsass.exe") returned 9 [0039.381] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0039.398] lstrlenW (lpString="lsm.exe") returned 7 [0039.399] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.399] lstrlenW (lpString="svchost.exe") returned 11 [0039.399] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.400] lstrlenW (lpString="svchost.exe") returned 11 [0039.400] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.400] lstrlenW (lpString="svchost.exe") returned 11 [0039.400] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.401] lstrlenW (lpString="svchost.exe") returned 11 [0039.401] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.401] lstrlenW (lpString="svchost.exe") returned 11 [0039.401] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0039.402] lstrlenW (lpString="audiodg.exe") returned 11 [0039.402] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.402] lstrlenW (lpString="svchost.exe") returned 11 [0039.402] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.403] lstrlenW (lpString="svchost.exe") returned 11 [0039.403] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0039.403] lstrlenW (lpString="dwm.exe") returned 7 [0039.403] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0039.404] lstrlenW (lpString="explorer.exe") returned 12 [0039.404] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0039.404] lstrlenW (lpString="spoolsv.exe") returned 11 [0039.404] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.405] lstrlenW (lpString="svchost.exe") returned 11 [0039.405] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.405] lstrlenW (lpString="taskhost.exe") returned 12 [0039.405] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0039.406] lstrlenW (lpString="taskeng.exe") returned 11 [0039.406] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0039.406] lstrlenW (lpString="prime.exe") returned 9 [0039.406] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0039.407] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0039.407] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0039.407] lstrlenW (lpString="financing.exe") returned 13 [0039.407] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0039.408] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0039.408] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0039.408] lstrlenW (lpString="dg hit.exe") returned 10 [0039.408] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0039.409] lstrlenW (lpString="banners_drops.exe") returned 17 [0039.409] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0039.409] lstrlenW (lpString="vacuum.exe") returned 10 [0039.409] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0039.410] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0039.410] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0039.410] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0039.410] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0039.411] lstrlenW (lpString="holocauststored.exe") returned 19 [0039.411] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0039.411] lstrlenW (lpString="mini.exe") returned 8 [0039.411] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0039.412] lstrlenW (lpString="bi_tiny.exe") returned 11 [0039.412] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0039.413] lstrlenW (lpString="mall_drawn.exe") returned 14 [0039.413] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0039.413] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0039.413] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0039.414] lstrlenW (lpString="distributed.exe") returned 15 [0039.414] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0039.414] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0039.414] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0039.415] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0039.415] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0039.415] lstrlenW (lpString="3dftp.exe") returned 9 [0039.415] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0039.416] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0039.416] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0039.416] lstrlenW (lpString="alftp.exe") returned 9 [0039.416] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0039.417] lstrlenW (lpString="barca.exe") returned 9 [0039.417] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0039.417] lstrlenW (lpString="bitkinex.exe") returned 12 [0039.417] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0039.418] lstrlenW (lpString="coreftp.exe") returned 11 [0039.418] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0039.418] lstrlenW (lpString="far.exe") returned 7 [0039.418] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0039.419] lstrlenW (lpString="filezilla.exe") returned 13 [0039.419] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0039.419] lstrlenW (lpString="flashfxp.exe") returned 12 [0039.419] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0039.420] lstrlenW (lpString="fling.exe") returned 9 [0039.420] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0039.420] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0039.420] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0039.421] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0039.421] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0039.421] lstrlenW (lpString="icq.exe") returned 7 [0039.421] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0039.422] lstrlenW (lpString="leechftp.exe") returned 12 [0039.422] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0039.422] lstrlenW (lpString="ncftp.exe") returned 9 [0039.422] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0039.423] lstrlenW (lpString="notepad.exe") returned 11 [0039.423] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0039.423] lstrlenW (lpString="operamail.exe") returned 13 [0039.423] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0039.424] lstrlenW (lpString="pidgin.exe") returned 10 [0039.424] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0039.425] lstrlenW (lpString="scriptftp.exe") returned 13 [0039.425] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0039.426] lstrlenW (lpString="skype.exe") returned 9 [0039.426] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0039.426] lstrlenW (lpString="smartftp.exe") returned 12 [0039.426] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0039.427] lstrlenW (lpString="thunderbird.exe") returned 15 [0039.427] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0039.662] lstrlenW (lpString="totalcmd.exe") returned 12 [0039.663] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0039.663] lstrlenW (lpString="trillian.exe") returned 12 [0039.663] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0039.664] lstrlenW (lpString="webdrive.exe") returned 12 [0039.664] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0039.665] lstrlenW (lpString="whatsapp.exe") returned 12 [0039.665] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0039.666] lstrlenW (lpString="winscp.exe") returned 10 [0039.666] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0039.666] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0039.667] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0039.667] lstrlenW (lpString="active-charge.exe") returned 17 [0039.667] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0039.668] lstrlenW (lpString="accupos.exe") returned 11 [0039.668] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0039.669] lstrlenW (lpString="afr38.exe") returned 9 [0039.669] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0039.670] lstrlenW (lpString="aldelo.exe") returned 10 [0039.670] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0039.670] lstrlenW (lpString="ccv_server.exe") returned 14 [0039.670] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0039.671] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0039.671] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0039.672] lstrlenW (lpString="creditservice.exe") returned 17 [0039.672] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0039.672] lstrlenW (lpString="edcsvr.exe") returned 10 [0039.672] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0039.673] lstrlenW (lpString="fpos.exe") returned 8 [0039.673] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0039.674] lstrlenW (lpString="isspos.exe") returned 10 [0039.674] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0039.675] lstrlenW (lpString="mxslipstream.exe") returned 16 [0039.675] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0039.675] lstrlenW (lpString="omnipos.exe") returned 11 [0039.675] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0039.676] lstrlenW (lpString="spcwin.exe") returned 10 [0039.676] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0039.677] lstrlenW (lpString="spgagentservice.exe") returned 19 [0039.677] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0039.677] lstrlenW (lpString="utg2.exe") returned 8 [0039.677] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0039.679] lstrlenW (lpString="focuses.exe") returned 11 [0039.679] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0039.679] lstrlenW (lpString="fi fence.exe") returned 12 [0039.679] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0039.680] lstrlenW (lpString="knight.exe") returned 10 [0039.680] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0039.681] lstrlenW (lpString="library.exe") returned 11 [0039.681] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0039.681] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0039.681] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0039.682] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0039.682] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.683] lstrlenW (lpString="taskhost.exe") returned 12 [0039.683] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0039.683] lstrlenW (lpString="dllhost.exe") returned 11 [0039.683] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0039.684] lstrlenW (lpString="dllhost.exe") returned 11 [0039.684] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0039.684] lstrlenW (lpString="winhost.exe") returned 11 [0039.684] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0039.685] lstrlenW (lpString="cmd.exe") returned 7 [0039.685] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0039.686] lstrlenW (lpString="conhost.exe") returned 11 [0039.686] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0039.686] lstrlenW (lpString="vssadmin.exe") returned 12 [0039.686] Process32NextW (in: hSnapshot=0x1e4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0039.687] CloseHandle (hObject=0x1e4) returned 1 [0039.687] Sleep (dwMilliseconds=0x1f4) [0040.868] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3b00 [0040.868] EnumServicesStatusExW (in: hSCManager=0x5a3b00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0040.868] GetLastError () returned 0xea [0040.868] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11e4) returned 0x3f03088 [0040.868] EnumServicesStatusExW (in: hSCManager=0x5a3b00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f03088, cbBufSize=0x11e4, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f03088, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0040.869] CloseServiceHandle (hSCObject=0x5a3b00) returned 1 [0040.869] lstrlenW (lpString="Appinfo") returned 7 [0040.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0040.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0040.870] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0040.870] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0040.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0040.870] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0040.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.870] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0040.870] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0040.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0040.871] lstrlenW (lpString="AudioSrv") returned 8 [0040.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0040.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0040.871] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0040.871] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0040.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0040.871] lstrlenW (lpString="BFE") returned 3 [0040.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0040.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0040.871] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0040.871] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0040.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0040.871] lstrlenW (lpString="CryptSvc") returned 8 [0040.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0040.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0040.871] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0040.871] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0040.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0040.871] lstrlenW (lpString="CscService") returned 10 [0040.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0040.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0040.871] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0040.871] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0040.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0040.871] lstrlenW (lpString="DcomLaunch") returned 10 [0040.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.871] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0040.871] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0040.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0040.871] lstrlenW (lpString="Dhcp") returned 4 [0040.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0040.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0040.871] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0040.871] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0040.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0040.872] lstrlenW (lpString="Dnscache") returned 8 [0040.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0040.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0040.872] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0040.872] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0040.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0040.872] lstrlenW (lpString="DPS") returned 3 [0040.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0040.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0040.872] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0040.872] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0040.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0040.872] lstrlenW (lpString="eventlog") returned 8 [0040.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0040.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0040.872] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0040.872] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0040.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0040.872] lstrlenW (lpString="EventSystem") returned 11 [0040.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0040.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0040.872] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0040.872] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0040.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0040.872] lstrlenW (lpString="gpsvc") returned 5 [0040.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0040.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0040.872] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0040.872] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0040.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0040.872] lstrlenW (lpString="iphlpsvc") returned 8 [0040.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.872] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0040.872] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0040.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0040.873] lstrlenW (lpString="LanmanServer") returned 12 [0040.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0040.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0040.873] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0040.873] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0040.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0040.873] lstrlenW (lpString="LanmanWorkstation") returned 17 [0040.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.873] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0040.873] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0040.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0040.873] lstrlenW (lpString="lmhosts") returned 7 [0040.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0040.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0040.873] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0040.873] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0040.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0040.873] lstrlenW (lpString="MMCSS") returned 5 [0040.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0040.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0040.873] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0040.873] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0040.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0040.873] lstrlenW (lpString="MpsSvc") returned 6 [0040.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0040.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0040.873] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0040.873] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0040.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0040.873] lstrlenW (lpString="Netman") returned 6 [0040.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0040.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0040.873] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0040.873] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0040.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0040.874] lstrlenW (lpString="netprofm") returned 8 [0040.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0040.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0040.874] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0040.874] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0040.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0040.874] lstrlenW (lpString="NlaSvc") returned 6 [0040.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0040.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0040.874] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0040.874] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0040.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0040.874] lstrlenW (lpString="nsi") returned 3 [0040.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0040.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0040.874] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0040.874] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0040.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0040.874] lstrlenW (lpString="PcaSvc") returned 6 [0040.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0040.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0040.874] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0040.874] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0040.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0040.874] lstrlenW (lpString="PlugPlay") returned 8 [0040.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0040.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0040.874] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0040.874] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0040.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0040.874] lstrlenW (lpString="Power") returned 5 [0040.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0040.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0040.874] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0040.875] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0040.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0040.875] lstrlenW (lpString="ProfSvc") returned 7 [0040.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0040.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0040.875] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0040.875] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0040.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0040.875] lstrlenW (lpString="RpcEptMapper") returned 12 [0040.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.875] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0040.875] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0040.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0040.875] lstrlenW (lpString="RpcSs") returned 5 [0040.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0040.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0040.875] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0040.875] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0040.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0040.875] lstrlenW (lpString="SamSs") returned 5 [0040.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0040.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0040.875] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0040.875] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0040.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0040.875] lstrlenW (lpString="Schedule") returned 8 [0040.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0040.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0040.875] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0040.875] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0040.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0040.875] lstrlenW (lpString="SENS") returned 4 [0040.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0040.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0040.876] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0040.876] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0040.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0040.876] lstrlenW (lpString="ShellHWDetection") returned 16 [0040.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.876] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0040.876] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0040.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0040.876] lstrlenW (lpString="Spooler") returned 7 [0040.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0040.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0040.876] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0040.876] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0040.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0040.876] lstrlenW (lpString="SysMain") returned 7 [0040.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0040.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0040.876] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0040.876] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0040.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0040.876] lstrlenW (lpString="Themes") returned 6 [0040.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0040.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0040.876] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0040.876] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0040.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0040.876] lstrlenW (lpString="TrkWks") returned 6 [0040.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0040.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0040.876] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0040.876] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0040.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0040.876] lstrlenW (lpString="UxSms") returned 5 [0040.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0040.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0040.877] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0040.877] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0040.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0040.877] lstrlenW (lpString="WdiServiceHost") returned 14 [0040.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.877] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0040.877] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0040.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0040.877] lstrlenW (lpString="WdiSystemHost") returned 13 [0040.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.877] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0040.877] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0040.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0040.877] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0040.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.877] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0040.877] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0040.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0040.877] lstrlenW (lpString="Winmgmt") returned 7 [0040.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0040.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0040.877] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0040.877] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0040.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0040.877] lstrlenW (lpString="WPDBusEnum") returned 10 [0040.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.877] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0040.877] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0040.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0040.878] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f03088 | out: hHeap=0x500000) returned 1 [0040.878] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0040.881] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0040.881] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0040.882] lstrlenW (lpString="System") returned 6 [0040.882] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0040.882] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0040.882] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0040.882] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0040.882] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0040.882] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0040.882] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0040.882] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0040.882] lstrlenW (lpString="smss.exe") returned 8 [0040.882] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0040.882] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0040.882] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0040.882] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0040.882] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0040.882] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0040.882] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0040.882] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.883] lstrlenW (lpString="csrss.exe") returned 9 [0040.883] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.883] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0040.883] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0040.883] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0040.883] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0040.883] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0040.883] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0040.883] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0040.884] lstrlenW (lpString="wininit.exe") returned 11 [0040.884] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0040.884] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0040.884] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0040.884] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0040.884] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0040.884] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0040.884] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0040.884] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.884] lstrlenW (lpString="csrss.exe") returned 9 [0040.884] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.884] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0040.884] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0040.884] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0040.884] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0040.885] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0040.885] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0040.885] lstrlenW (lpString="winlogon.exe") returned 12 [0040.885] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0040.886] lstrlenW (lpString="services.exe") returned 12 [0040.886] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0040.886] lstrlenW (lpString="lsass.exe") returned 9 [0040.886] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0040.887] lstrlenW (lpString="lsm.exe") returned 7 [0040.887] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.887] lstrlenW (lpString="svchost.exe") returned 11 [0040.887] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.888] lstrlenW (lpString="svchost.exe") returned 11 [0040.888] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.888] lstrlenW (lpString="svchost.exe") returned 11 [0040.888] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.889] lstrlenW (lpString="svchost.exe") returned 11 [0040.889] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.889] lstrlenW (lpString="svchost.exe") returned 11 [0040.889] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0040.890] lstrlenW (lpString="audiodg.exe") returned 11 [0040.890] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.890] lstrlenW (lpString="svchost.exe") returned 11 [0040.890] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.891] lstrlenW (lpString="svchost.exe") returned 11 [0040.891] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0040.891] lstrlenW (lpString="dwm.exe") returned 7 [0040.891] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0040.892] lstrlenW (lpString="explorer.exe") returned 12 [0040.892] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0040.892] lstrlenW (lpString="spoolsv.exe") returned 11 [0040.892] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.893] lstrlenW (lpString="svchost.exe") returned 11 [0040.893] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.894] lstrlenW (lpString="taskhost.exe") returned 12 [0040.894] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0040.894] lstrlenW (lpString="taskeng.exe") returned 11 [0040.894] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0040.898] lstrlenW (lpString="prime.exe") returned 9 [0040.898] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0040.898] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0040.898] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0040.899] lstrlenW (lpString="financing.exe") returned 13 [0040.899] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0040.899] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0040.899] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0040.900] lstrlenW (lpString="dg hit.exe") returned 10 [0040.900] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0040.900] lstrlenW (lpString="banners_drops.exe") returned 17 [0040.901] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0040.901] lstrlenW (lpString="vacuum.exe") returned 10 [0040.901] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0040.902] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0040.902] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0040.902] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0040.902] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0040.903] lstrlenW (lpString="holocauststored.exe") returned 19 [0040.903] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0040.903] lstrlenW (lpString="mini.exe") returned 8 [0040.903] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0040.904] lstrlenW (lpString="bi_tiny.exe") returned 11 [0040.904] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0040.904] lstrlenW (lpString="mall_drawn.exe") returned 14 [0040.904] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0040.905] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0040.905] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0040.905] lstrlenW (lpString="distributed.exe") returned 15 [0040.905] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0040.906] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0040.906] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0040.906] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0040.906] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0040.907] lstrlenW (lpString="3dftp.exe") returned 9 [0040.907] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0040.907] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0040.907] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0040.908] lstrlenW (lpString="alftp.exe") returned 9 [0040.908] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0040.908] lstrlenW (lpString="barca.exe") returned 9 [0040.908] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0040.909] lstrlenW (lpString="bitkinex.exe") returned 12 [0040.909] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0040.909] lstrlenW (lpString="coreftp.exe") returned 11 [0040.909] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0041.382] lstrlenW (lpString="far.exe") returned 7 [0041.382] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0041.383] lstrlenW (lpString="filezilla.exe") returned 13 [0041.383] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0041.383] lstrlenW (lpString="flashfxp.exe") returned 12 [0041.383] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0041.384] lstrlenW (lpString="fling.exe") returned 9 [0041.384] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0041.384] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0041.384] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0041.385] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0041.385] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0041.385] lstrlenW (lpString="icq.exe") returned 7 [0041.386] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0041.386] lstrlenW (lpString="leechftp.exe") returned 12 [0041.386] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0041.387] lstrlenW (lpString="ncftp.exe") returned 9 [0041.387] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0041.387] lstrlenW (lpString="notepad.exe") returned 11 [0041.387] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0041.388] lstrlenW (lpString="operamail.exe") returned 13 [0041.388] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0041.389] lstrlenW (lpString="pidgin.exe") returned 10 [0041.389] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0041.389] lstrlenW (lpString="scriptftp.exe") returned 13 [0041.389] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0041.390] lstrlenW (lpString="skype.exe") returned 9 [0041.390] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0041.391] lstrlenW (lpString="smartftp.exe") returned 12 [0041.391] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0041.392] lstrlenW (lpString="thunderbird.exe") returned 15 [0041.392] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0041.393] lstrlenW (lpString="totalcmd.exe") returned 12 [0041.393] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0041.394] lstrlenW (lpString="trillian.exe") returned 12 [0041.394] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0041.394] lstrlenW (lpString="webdrive.exe") returned 12 [0041.394] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0041.395] lstrlenW (lpString="whatsapp.exe") returned 12 [0041.395] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0041.396] lstrlenW (lpString="winscp.exe") returned 10 [0041.396] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0041.397] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0041.397] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0041.397] lstrlenW (lpString="active-charge.exe") returned 17 [0041.397] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0041.398] lstrlenW (lpString="accupos.exe") returned 11 [0041.398] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0041.399] lstrlenW (lpString="afr38.exe") returned 9 [0041.399] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0041.400] lstrlenW (lpString="aldelo.exe") returned 10 [0041.400] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0041.400] lstrlenW (lpString="ccv_server.exe") returned 14 [0041.401] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0041.401] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0041.401] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0041.402] lstrlenW (lpString="creditservice.exe") returned 17 [0041.402] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0041.403] lstrlenW (lpString="edcsvr.exe") returned 10 [0041.403] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0041.403] lstrlenW (lpString="fpos.exe") returned 8 [0041.403] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0041.404] lstrlenW (lpString="isspos.exe") returned 10 [0041.404] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0041.405] lstrlenW (lpString="mxslipstream.exe") returned 16 [0041.405] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0041.405] lstrlenW (lpString="omnipos.exe") returned 11 [0041.406] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0041.406] lstrlenW (lpString="spcwin.exe") returned 10 [0041.406] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0041.407] lstrlenW (lpString="spgagentservice.exe") returned 19 [0041.407] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0041.407] lstrlenW (lpString="utg2.exe") returned 8 [0041.408] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0041.408] lstrlenW (lpString="focuses.exe") returned 11 [0041.408] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0041.409] lstrlenW (lpString="fi fence.exe") returned 12 [0041.409] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0041.410] lstrlenW (lpString="knight.exe") returned 10 [0041.410] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0041.411] lstrlenW (lpString="library.exe") returned 11 [0041.411] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0041.412] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0041.412] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0041.412] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0041.412] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.413] lstrlenW (lpString="taskhost.exe") returned 12 [0041.413] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0041.413] lstrlenW (lpString="dllhost.exe") returned 11 [0041.413] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0041.414] lstrlenW (lpString="dllhost.exe") returned 11 [0041.414] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0041.415] lstrlenW (lpString="winhost.exe") returned 11 [0041.415] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0041.415] lstrlenW (lpString="cmd.exe") returned 7 [0041.415] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0041.416] lstrlenW (lpString="conhost.exe") returned 11 [0041.416] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0041.416] lstrlenW (lpString="vssadmin.exe") returned 12 [0041.416] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0041.417] CloseHandle (hObject=0x1a0) returned 1 [0041.417] Sleep (dwMilliseconds=0x1f4) [0042.625] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3b28 [0042.626] EnumServicesStatusExW (in: hSCManager=0x5a3b28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0042.627] GetLastError () returned 0xea [0042.627] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11e4) returned 0x381d358 [0042.627] EnumServicesStatusExW (in: hSCManager=0x5a3b28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x381d358, cbBufSize=0x11e4, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x381d358, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0042.628] CloseServiceHandle (hSCObject=0x5a3b28) returned 1 [0042.628] lstrlenW (lpString="Appinfo") returned 7 [0042.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0042.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0042.628] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0042.628] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0042.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0042.628] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0042.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.628] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0042.628] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0042.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0042.629] lstrlenW (lpString="AudioSrv") returned 8 [0042.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0042.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0042.629] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0042.629] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0042.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0042.629] lstrlenW (lpString="BFE") returned 3 [0042.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0042.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0042.629] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0042.629] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0042.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0042.629] lstrlenW (lpString="CryptSvc") returned 8 [0042.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0042.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0042.629] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0042.629] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0042.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0042.629] lstrlenW (lpString="CscService") returned 10 [0042.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0042.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0042.629] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0042.629] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0042.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0042.629] lstrlenW (lpString="DcomLaunch") returned 10 [0042.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.629] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0042.629] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0042.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0042.629] lstrlenW (lpString="Dhcp") returned 4 [0042.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0042.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0042.629] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0042.630] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0042.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0042.630] lstrlenW (lpString="Dnscache") returned 8 [0042.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0042.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0042.630] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0042.630] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0042.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0042.630] lstrlenW (lpString="DPS") returned 3 [0042.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0042.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0042.630] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0042.630] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0042.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0042.630] lstrlenW (lpString="eventlog") returned 8 [0042.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0042.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0042.630] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0042.630] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0042.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0042.630] lstrlenW (lpString="EventSystem") returned 11 [0042.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0042.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0042.630] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0042.630] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0042.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0042.630] lstrlenW (lpString="gpsvc") returned 5 [0042.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0042.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0042.630] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0042.630] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0042.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0042.630] lstrlenW (lpString="iphlpsvc") returned 8 [0042.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.630] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0042.630] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0042.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0042.631] lstrlenW (lpString="LanmanServer") returned 12 [0042.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0042.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0042.631] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0042.631] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0042.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0042.631] lstrlenW (lpString="LanmanWorkstation") returned 17 [0042.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.631] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0042.631] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0042.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0042.631] lstrlenW (lpString="lmhosts") returned 7 [0042.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0042.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0042.631] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0042.631] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0042.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0042.631] lstrlenW (lpString="MMCSS") returned 5 [0042.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0042.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0042.631] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0042.631] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0042.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0042.631] lstrlenW (lpString="MpsSvc") returned 6 [0042.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0042.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0042.631] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0042.631] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0042.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0042.631] lstrlenW (lpString="Netman") returned 6 [0042.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0042.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0042.632] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0042.632] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0042.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0042.632] lstrlenW (lpString="netprofm") returned 8 [0042.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0042.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0042.632] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0042.632] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0042.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0042.632] lstrlenW (lpString="NlaSvc") returned 6 [0042.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0042.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0042.632] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0042.632] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0042.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0042.632] lstrlenW (lpString="nsi") returned 3 [0042.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0042.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0042.632] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0042.632] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0042.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0042.632] lstrlenW (lpString="PcaSvc") returned 6 [0042.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0042.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0042.632] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0042.632] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0042.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0042.632] lstrlenW (lpString="PlugPlay") returned 8 [0042.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0042.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0042.632] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0042.632] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0042.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0042.633] lstrlenW (lpString="Power") returned 5 [0042.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0042.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0042.633] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0042.633] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0042.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0042.633] lstrlenW (lpString="ProfSvc") returned 7 [0042.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0042.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0042.633] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0042.633] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0042.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0042.633] lstrlenW (lpString="RpcEptMapper") returned 12 [0042.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.633] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0042.633] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0042.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0042.633] lstrlenW (lpString="RpcSs") returned 5 [0042.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0042.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0042.633] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0042.633] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0042.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0042.633] lstrlenW (lpString="SamSs") returned 5 [0042.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0042.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0042.633] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0042.633] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0042.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0042.633] lstrlenW (lpString="Schedule") returned 8 [0042.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0042.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0042.633] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0042.634] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0042.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0042.634] lstrlenW (lpString="SENS") returned 4 [0042.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0042.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0042.634] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0042.634] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0042.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0042.634] lstrlenW (lpString="ShellHWDetection") returned 16 [0042.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.634] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0042.634] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0042.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0042.634] lstrlenW (lpString="Spooler") returned 7 [0042.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0042.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0042.634] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0042.634] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0042.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0042.634] lstrlenW (lpString="SysMain") returned 7 [0042.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0042.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0042.634] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0042.634] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0042.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0042.634] lstrlenW (lpString="Themes") returned 6 [0042.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0042.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0042.634] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0042.634] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0042.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0042.634] lstrlenW (lpString="TrkWks") returned 6 [0042.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0042.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0042.634] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0042.635] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0042.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0042.635] lstrlenW (lpString="UxSms") returned 5 [0042.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0042.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0042.635] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0042.635] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0042.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0042.635] lstrlenW (lpString="WdiServiceHost") returned 14 [0042.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.635] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0042.635] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0042.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0042.635] lstrlenW (lpString="WdiSystemHost") returned 13 [0042.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.635] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0042.635] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0042.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0042.635] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0042.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.635] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0042.635] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0042.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0042.635] lstrlenW (lpString="Winmgmt") returned 7 [0042.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0042.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0042.635] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0042.635] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0042.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0042.635] lstrlenW (lpString="WPDBusEnum") returned 10 [0042.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.636] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0042.636] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0042.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0042.636] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x381d358 | out: hHeap=0x500000) returned 1 [0042.636] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x194 [0042.640] Process32FirstW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0042.641] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0042.641] lstrlenW (lpString="System") returned 6 [0042.641] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0042.641] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0042.642] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0042.642] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0042.642] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0042.642] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0042.642] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0042.642] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0042.642] lstrlenW (lpString="smss.exe") returned 8 [0042.642] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0042.642] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0042.642] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0042.642] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0042.642] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0042.642] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0042.642] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0042.642] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.643] lstrlenW (lpString="csrss.exe") returned 9 [0042.643] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.643] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0042.643] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0042.643] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0042.643] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0042.643] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0042.643] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0042.643] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0042.644] lstrlenW (lpString="wininit.exe") returned 11 [0042.644] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0042.644] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0042.644] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0042.644] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0042.644] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0042.644] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0042.644] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0042.644] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.644] lstrlenW (lpString="csrss.exe") returned 9 [0042.644] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.644] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0042.644] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0042.644] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0042.644] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0042.644] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0042.645] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0042.645] lstrlenW (lpString="winlogon.exe") returned 12 [0042.645] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0042.646] lstrlenW (lpString="services.exe") returned 12 [0042.646] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0042.646] lstrlenW (lpString="lsass.exe") returned 9 [0042.646] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0042.647] lstrlenW (lpString="lsm.exe") returned 7 [0042.647] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.647] lstrlenW (lpString="svchost.exe") returned 11 [0042.647] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.648] lstrlenW (lpString="svchost.exe") returned 11 [0042.648] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.648] lstrlenW (lpString="svchost.exe") returned 11 [0042.648] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.649] lstrlenW (lpString="svchost.exe") returned 11 [0042.649] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.649] lstrlenW (lpString="svchost.exe") returned 11 [0042.649] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0042.650] lstrlenW (lpString="audiodg.exe") returned 11 [0042.650] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.650] lstrlenW (lpString="svchost.exe") returned 11 [0042.650] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.651] lstrlenW (lpString="svchost.exe") returned 11 [0042.651] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0042.651] lstrlenW (lpString="dwm.exe") returned 7 [0042.651] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0042.652] lstrlenW (lpString="explorer.exe") returned 12 [0042.652] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0042.652] lstrlenW (lpString="spoolsv.exe") returned 11 [0042.652] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.653] lstrlenW (lpString="svchost.exe") returned 11 [0042.653] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.653] lstrlenW (lpString="taskhost.exe") returned 12 [0042.653] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0042.654] lstrlenW (lpString="taskeng.exe") returned 11 [0042.654] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0042.655] lstrlenW (lpString="prime.exe") returned 9 [0042.655] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0042.655] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0042.655] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0042.656] lstrlenW (lpString="financing.exe") returned 13 [0042.656] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0042.656] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0042.656] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0042.657] lstrlenW (lpString="dg hit.exe") returned 10 [0042.657] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0042.657] lstrlenW (lpString="banners_drops.exe") returned 17 [0042.657] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0042.658] lstrlenW (lpString="vacuum.exe") returned 10 [0042.658] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0042.658] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0042.658] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0042.659] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0042.659] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0043.014] lstrlenW (lpString="holocauststored.exe") returned 19 [0043.015] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0043.015] lstrlenW (lpString="mini.exe") returned 8 [0043.015] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0043.016] lstrlenW (lpString="bi_tiny.exe") returned 11 [0043.016] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0043.016] lstrlenW (lpString="mall_drawn.exe") returned 14 [0043.016] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0043.017] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0043.017] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0043.017] lstrlenW (lpString="distributed.exe") returned 15 [0043.017] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0043.018] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0043.018] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0043.018] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0043.018] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0043.019] lstrlenW (lpString="3dftp.exe") returned 9 [0043.019] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0043.019] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0043.019] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0043.020] lstrlenW (lpString="alftp.exe") returned 9 [0043.020] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0043.020] lstrlenW (lpString="barca.exe") returned 9 [0043.020] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0043.021] lstrlenW (lpString="bitkinex.exe") returned 12 [0043.021] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0043.021] lstrlenW (lpString="coreftp.exe") returned 11 [0043.021] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0043.022] lstrlenW (lpString="far.exe") returned 7 [0043.022] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0043.023] lstrlenW (lpString="filezilla.exe") returned 13 [0043.023] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0043.023] lstrlenW (lpString="flashfxp.exe") returned 12 [0043.023] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0043.024] lstrlenW (lpString="fling.exe") returned 9 [0043.024] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0043.024] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0043.024] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0043.025] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0043.025] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0043.026] lstrlenW (lpString="icq.exe") returned 7 [0043.026] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0043.026] lstrlenW (lpString="leechftp.exe") returned 12 [0043.026] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0043.027] lstrlenW (lpString="ncftp.exe") returned 9 [0043.027] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0043.027] lstrlenW (lpString="notepad.exe") returned 11 [0043.027] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0043.028] lstrlenW (lpString="operamail.exe") returned 13 [0043.028] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0043.029] lstrlenW (lpString="pidgin.exe") returned 10 [0043.029] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0043.030] lstrlenW (lpString="scriptftp.exe") returned 13 [0043.030] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0043.030] lstrlenW (lpString="skype.exe") returned 9 [0043.031] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0043.031] lstrlenW (lpString="smartftp.exe") returned 12 [0043.031] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0043.032] lstrlenW (lpString="thunderbird.exe") returned 15 [0043.032] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0043.033] lstrlenW (lpString="totalcmd.exe") returned 12 [0043.033] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0043.034] lstrlenW (lpString="trillian.exe") returned 12 [0043.034] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0043.035] lstrlenW (lpString="webdrive.exe") returned 12 [0043.035] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0043.035] lstrlenW (lpString="whatsapp.exe") returned 12 [0043.035] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0043.036] lstrlenW (lpString="winscp.exe") returned 10 [0043.036] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0043.037] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0043.037] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0043.038] lstrlenW (lpString="active-charge.exe") returned 17 [0043.038] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0043.038] lstrlenW (lpString="accupos.exe") returned 11 [0043.038] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0043.039] lstrlenW (lpString="afr38.exe") returned 9 [0043.039] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0043.040] lstrlenW (lpString="aldelo.exe") returned 10 [0043.040] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0043.041] lstrlenW (lpString="ccv_server.exe") returned 14 [0043.041] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0043.041] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0043.041] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0043.042] lstrlenW (lpString="creditservice.exe") returned 17 [0043.042] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0043.043] lstrlenW (lpString="edcsvr.exe") returned 10 [0043.043] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0043.043] lstrlenW (lpString="fpos.exe") returned 8 [0043.043] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0043.044] lstrlenW (lpString="isspos.exe") returned 10 [0043.044] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0043.045] lstrlenW (lpString="mxslipstream.exe") returned 16 [0043.045] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0043.046] lstrlenW (lpString="omnipos.exe") returned 11 [0043.046] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0043.046] lstrlenW (lpString="spcwin.exe") returned 10 [0043.046] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0043.047] lstrlenW (lpString="spgagentservice.exe") returned 19 [0043.047] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0043.155] lstrlenW (lpString="utg2.exe") returned 8 [0043.155] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0043.156] lstrlenW (lpString="focuses.exe") returned 11 [0043.156] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0043.157] lstrlenW (lpString="fi fence.exe") returned 12 [0043.157] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0043.157] lstrlenW (lpString="knight.exe") returned 10 [0043.157] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0043.158] lstrlenW (lpString="library.exe") returned 11 [0043.158] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.159] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.159] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.159] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.159] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.160] lstrlenW (lpString="taskhost.exe") returned 12 [0043.160] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0043.160] lstrlenW (lpString="dllhost.exe") returned 11 [0043.161] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0043.161] lstrlenW (lpString="dllhost.exe") returned 11 [0043.161] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0043.162] lstrlenW (lpString="winhost.exe") returned 11 [0043.162] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.162] lstrlenW (lpString="cmd.exe") returned 7 [0043.162] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.163] lstrlenW (lpString="conhost.exe") returned 11 [0043.163] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0043.163] lstrlenW (lpString="vssadmin.exe") returned 12 [0043.164] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0043.164] CloseHandle (hObject=0x194) returned 1 [0043.164] Sleep (dwMilliseconds=0x1f4) [0043.867] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3b50 [0043.868] EnumServicesStatusExW (in: hSCManager=0x5a3b50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0043.868] GetLastError () returned 0xea [0043.868] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11e4) returned 0x381d358 [0043.868] EnumServicesStatusExW (in: hSCManager=0x5a3b50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x381d358, cbBufSize=0x11e4, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x381d358, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0043.869] CloseServiceHandle (hSCObject=0x5a3b50) returned 1 [0043.869] lstrlenW (lpString="Appinfo") returned 7 [0043.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0043.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0043.869] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0043.869] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0043.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0043.869] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0043.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.869] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0043.869] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0043.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0043.870] lstrlenW (lpString="AudioSrv") returned 8 [0043.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0043.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0043.870] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0043.870] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0043.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0043.870] lstrlenW (lpString="BFE") returned 3 [0043.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0043.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0043.870] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0043.871] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0043.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0043.871] lstrlenW (lpString="CryptSvc") returned 8 [0043.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0043.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0043.871] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0043.871] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0043.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0043.871] lstrlenW (lpString="CscService") returned 10 [0043.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0043.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0043.871] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0043.871] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0043.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0043.871] lstrlenW (lpString="DcomLaunch") returned 10 [0043.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.871] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0043.871] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0043.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0043.871] lstrlenW (lpString="Dhcp") returned 4 [0043.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0043.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0043.871] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0043.871] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0043.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0043.871] lstrlenW (lpString="Dnscache") returned 8 [0043.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0043.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0043.871] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0043.871] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0043.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0043.871] lstrlenW (lpString="DPS") returned 3 [0043.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0043.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0043.872] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0043.872] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0043.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0043.872] lstrlenW (lpString="eventlog") returned 8 [0043.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0043.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0043.872] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0043.872] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0043.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0043.872] lstrlenW (lpString="EventSystem") returned 11 [0043.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0043.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0043.872] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0043.872] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0043.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0043.872] lstrlenW (lpString="gpsvc") returned 5 [0043.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0043.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0043.872] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0043.872] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0043.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0043.872] lstrlenW (lpString="iphlpsvc") returned 8 [0043.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.872] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0043.872] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0043.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0043.872] lstrlenW (lpString="LanmanServer") returned 12 [0043.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0043.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0043.872] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0043.872] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0043.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0043.873] lstrlenW (lpString="LanmanWorkstation") returned 17 [0043.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.873] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0043.873] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0043.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0043.873] lstrlenW (lpString="lmhosts") returned 7 [0043.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0043.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0043.873] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0043.873] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0043.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0043.873] lstrlenW (lpString="MMCSS") returned 5 [0043.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0043.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0043.873] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0043.873] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0043.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0043.873] lstrlenW (lpString="MpsSvc") returned 6 [0043.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0043.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0043.873] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0043.873] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0043.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0043.873] lstrlenW (lpString="Netman") returned 6 [0043.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0043.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0043.873] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0043.873] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0043.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0043.873] lstrlenW (lpString="netprofm") returned 8 [0043.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0043.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0043.873] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0043.874] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0043.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0043.874] lstrlenW (lpString="NlaSvc") returned 6 [0043.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0043.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0043.874] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0043.874] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0043.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0043.874] lstrlenW (lpString="nsi") returned 3 [0043.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0043.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0043.874] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0043.874] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0043.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0043.874] lstrlenW (lpString="PcaSvc") returned 6 [0043.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0043.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0043.875] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0043.875] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0043.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0043.875] lstrlenW (lpString="PlugPlay") returned 8 [0043.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0043.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0043.875] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0043.875] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0043.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0043.875] lstrlenW (lpString="Power") returned 5 [0043.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0043.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0043.875] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0043.875] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0043.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0043.875] lstrlenW (lpString="ProfSvc") returned 7 [0043.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0043.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0043.875] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0043.875] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0043.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0043.875] lstrlenW (lpString="RpcEptMapper") returned 12 [0043.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.875] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0043.875] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0043.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0043.875] lstrlenW (lpString="RpcSs") returned 5 [0043.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0043.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0043.875] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0043.875] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0043.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0043.876] lstrlenW (lpString="SamSs") returned 5 [0043.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0043.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0043.876] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0043.876] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0043.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0043.876] lstrlenW (lpString="Schedule") returned 8 [0043.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0043.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0043.876] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0043.876] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0043.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0043.876] lstrlenW (lpString="SENS") returned 4 [0043.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0043.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0043.876] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0043.876] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0043.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0043.876] lstrlenW (lpString="ShellHWDetection") returned 16 [0043.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.876] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0043.876] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0043.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0043.876] lstrlenW (lpString="Spooler") returned 7 [0043.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0043.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0043.876] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0043.876] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0043.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0043.876] lstrlenW (lpString="SysMain") returned 7 [0043.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0043.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0043.876] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0043.876] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0043.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0043.877] lstrlenW (lpString="Themes") returned 6 [0043.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0043.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0043.877] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0043.877] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0043.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0043.877] lstrlenW (lpString="TrkWks") returned 6 [0043.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0043.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0043.877] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0043.877] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0043.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0043.877] lstrlenW (lpString="UxSms") returned 5 [0043.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0043.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0043.877] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0043.877] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0043.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0043.877] lstrlenW (lpString="WdiServiceHost") returned 14 [0043.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.877] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0043.877] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0043.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0043.877] lstrlenW (lpString="WdiSystemHost") returned 13 [0043.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.877] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0043.877] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0043.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0043.877] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0043.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.878] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0043.878] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0043.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0043.878] lstrlenW (lpString="Winmgmt") returned 7 [0043.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0043.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0043.878] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0043.878] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0043.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0043.878] lstrlenW (lpString="WPDBusEnum") returned 10 [0043.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.878] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0043.878] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0043.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0043.878] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x381d358 | out: hHeap=0x500000) returned 1 [0043.878] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0043.882] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0043.882] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0043.883] lstrlenW (lpString="System") returned 6 [0043.883] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0043.883] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0043.883] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0043.883] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0043.883] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0043.883] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0043.883] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0043.883] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0043.884] lstrlenW (lpString="smss.exe") returned 8 [0043.884] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0043.884] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0043.884] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0043.884] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0043.884] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0043.884] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0043.884] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0043.884] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.884] lstrlenW (lpString="csrss.exe") returned 9 [0043.884] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.884] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.884] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.884] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.884] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.884] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.884] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0043.884] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0043.885] lstrlenW (lpString="wininit.exe") returned 11 [0043.885] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0043.885] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0043.885] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0043.885] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0043.885] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0043.885] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0043.885] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0043.885] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.886] lstrlenW (lpString="csrss.exe") returned 9 [0043.886] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.886] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.886] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.886] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.886] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.886] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.886] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0043.887] lstrlenW (lpString="winlogon.exe") returned 12 [0043.887] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0043.887] lstrlenW (lpString="services.exe") returned 12 [0043.887] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0043.888] lstrlenW (lpString="lsass.exe") returned 9 [0043.888] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0043.888] lstrlenW (lpString="lsm.exe") returned 7 [0043.888] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.889] lstrlenW (lpString="svchost.exe") returned 11 [0043.889] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.890] lstrlenW (lpString="svchost.exe") returned 11 [0043.890] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.890] lstrlenW (lpString="svchost.exe") returned 11 [0043.890] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.891] lstrlenW (lpString="svchost.exe") returned 11 [0043.891] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.891] lstrlenW (lpString="svchost.exe") returned 11 [0043.891] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0043.892] lstrlenW (lpString="audiodg.exe") returned 11 [0043.892] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.892] lstrlenW (lpString="svchost.exe") returned 11 [0043.892] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.893] lstrlenW (lpString="svchost.exe") returned 11 [0043.893] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0043.893] lstrlenW (lpString="dwm.exe") returned 7 [0043.893] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0043.894] lstrlenW (lpString="explorer.exe") returned 12 [0043.894] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0043.894] lstrlenW (lpString="spoolsv.exe") returned 11 [0043.894] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.895] lstrlenW (lpString="svchost.exe") returned 11 [0043.895] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.896] lstrlenW (lpString="taskhost.exe") returned 12 [0043.896] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0043.896] lstrlenW (lpString="taskeng.exe") returned 11 [0043.896] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0043.897] lstrlenW (lpString="prime.exe") returned 9 [0043.897] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0043.897] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0043.897] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0043.898] lstrlenW (lpString="financing.exe") returned 13 [0043.898] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0043.898] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0043.898] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0043.899] lstrlenW (lpString="dg hit.exe") returned 10 [0043.899] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0043.899] lstrlenW (lpString="banners_drops.exe") returned 17 [0043.899] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0043.900] lstrlenW (lpString="vacuum.exe") returned 10 [0043.900] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0043.900] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0043.900] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0043.901] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0043.901] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0043.901] lstrlenW (lpString="holocauststored.exe") returned 19 [0043.902] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0043.902] lstrlenW (lpString="mini.exe") returned 8 [0043.902] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0043.903] lstrlenW (lpString="bi_tiny.exe") returned 11 [0043.903] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0043.903] lstrlenW (lpString="mall_drawn.exe") returned 14 [0043.903] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0043.904] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0043.904] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0043.904] lstrlenW (lpString="distributed.exe") returned 15 [0043.904] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0043.905] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0043.905] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0044.130] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0044.130] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0044.130] lstrlenW (lpString="3dftp.exe") returned 9 [0044.131] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0044.131] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0044.131] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0044.132] lstrlenW (lpString="alftp.exe") returned 9 [0044.132] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0044.132] lstrlenW (lpString="barca.exe") returned 9 [0044.132] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0044.133] lstrlenW (lpString="bitkinex.exe") returned 12 [0044.133] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0044.133] lstrlenW (lpString="coreftp.exe") returned 11 [0044.133] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0044.134] lstrlenW (lpString="far.exe") returned 7 [0044.134] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0044.134] lstrlenW (lpString="filezilla.exe") returned 13 [0044.134] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0044.135] lstrlenW (lpString="flashfxp.exe") returned 12 [0044.135] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0044.135] lstrlenW (lpString="fling.exe") returned 9 [0044.135] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0044.136] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0044.136] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0044.136] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0044.136] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0044.137] lstrlenW (lpString="icq.exe") returned 7 [0044.137] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0044.137] lstrlenW (lpString="leechftp.exe") returned 12 [0044.137] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0044.138] lstrlenW (lpString="ncftp.exe") returned 9 [0044.138] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0044.138] lstrlenW (lpString="notepad.exe") returned 11 [0044.138] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0044.139] lstrlenW (lpString="operamail.exe") returned 13 [0044.139] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0044.140] lstrlenW (lpString="pidgin.exe") returned 10 [0044.140] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0044.140] lstrlenW (lpString="scriptftp.exe") returned 13 [0044.141] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0044.141] lstrlenW (lpString="skype.exe") returned 9 [0044.141] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0044.142] lstrlenW (lpString="smartftp.exe") returned 12 [0044.142] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0044.143] lstrlenW (lpString="thunderbird.exe") returned 15 [0044.143] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0044.143] lstrlenW (lpString="totalcmd.exe") returned 12 [0044.144] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0044.144] lstrlenW (lpString="trillian.exe") returned 12 [0044.144] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0044.145] lstrlenW (lpString="webdrive.exe") returned 12 [0044.145] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0044.146] lstrlenW (lpString="whatsapp.exe") returned 12 [0044.146] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0044.147] lstrlenW (lpString="winscp.exe") returned 10 [0044.147] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0044.147] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0044.147] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0044.148] lstrlenW (lpString="active-charge.exe") returned 17 [0044.148] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0044.149] lstrlenW (lpString="accupos.exe") returned 11 [0044.149] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0044.149] lstrlenW (lpString="afr38.exe") returned 9 [0044.150] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0044.150] lstrlenW (lpString="aldelo.exe") returned 10 [0044.150] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0044.151] lstrlenW (lpString="ccv_server.exe") returned 14 [0044.151] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0044.152] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0044.152] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0044.152] lstrlenW (lpString="creditservice.exe") returned 17 [0044.152] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0044.153] lstrlenW (lpString="edcsvr.exe") returned 10 [0044.153] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0044.154] lstrlenW (lpString="fpos.exe") returned 8 [0044.154] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0044.154] lstrlenW (lpString="isspos.exe") returned 10 [0044.154] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0044.155] lstrlenW (lpString="mxslipstream.exe") returned 16 [0044.155] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0044.156] lstrlenW (lpString="omnipos.exe") returned 11 [0044.156] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0044.156] lstrlenW (lpString="spcwin.exe") returned 10 [0044.156] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0044.157] lstrlenW (lpString="spgagentservice.exe") returned 19 [0044.157] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0044.158] lstrlenW (lpString="utg2.exe") returned 8 [0044.158] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0044.158] lstrlenW (lpString="focuses.exe") returned 11 [0044.158] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0044.159] lstrlenW (lpString="fi fence.exe") returned 12 [0044.159] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0044.159] lstrlenW (lpString="knight.exe") returned 10 [0044.160] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0044.160] lstrlenW (lpString="library.exe") returned 11 [0044.160] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.161] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0044.161] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.161] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0044.161] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.162] lstrlenW (lpString="taskhost.exe") returned 12 [0044.162] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0044.162] lstrlenW (lpString="winhost.exe") returned 11 [0044.162] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0044.163] lstrlenW (lpString="cmd.exe") returned 7 [0044.163] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.164] lstrlenW (lpString="conhost.exe") returned 11 [0044.164] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0044.164] lstrlenW (lpString="vssadmin.exe") returned 12 [0044.164] Process32NextW (in: hSnapshot=0x1a0, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0044.165] CloseHandle (hObject=0x1a0) returned 1 [0044.165] Sleep (dwMilliseconds=0x1f4) [0044.906] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3b28 [0044.906] EnumServicesStatusExW (in: hSCManager=0x5a3b28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0044.907] GetLastError () returned 0xea [0044.907] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x123e) returned 0x381d358 [0044.907] EnumServicesStatusExW (in: hSCManager=0x5a3b28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x381d358, cbBufSize=0x123e, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x381d358, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0044.908] CloseServiceHandle (hSCObject=0x5a3b28) returned 1 [0044.908] lstrlenW (lpString="Appinfo") returned 7 [0044.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0044.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0044.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0044.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0044.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0044.908] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0044.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.908] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0044.908] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0044.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0044.908] lstrlenW (lpString="AudioSrv") returned 8 [0044.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0044.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0044.908] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0044.908] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0044.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0044.908] lstrlenW (lpString="BFE") returned 3 [0044.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0044.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0044.909] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0044.909] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0044.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0044.909] lstrlenW (lpString="CryptSvc") returned 8 [0044.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0044.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0044.909] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0044.909] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0044.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0044.909] lstrlenW (lpString="CscService") returned 10 [0044.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0044.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0044.909] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0044.909] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0044.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0044.909] lstrlenW (lpString="DcomLaunch") returned 10 [0044.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.909] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0044.909] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0044.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0044.909] lstrlenW (lpString="Dhcp") returned 4 [0044.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0044.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0044.909] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0044.909] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0044.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0044.909] lstrlenW (lpString="Dnscache") returned 8 [0044.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0044.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0044.909] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0044.909] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0044.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0044.909] lstrlenW (lpString="DPS") returned 3 [0044.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0044.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0044.910] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0044.910] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0044.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0044.910] lstrlenW (lpString="eventlog") returned 8 [0044.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0044.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0044.910] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0044.910] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0044.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0044.910] lstrlenW (lpString="EventSystem") returned 11 [0044.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0044.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0044.910] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0044.910] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0044.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0044.910] lstrlenW (lpString="gpsvc") returned 5 [0044.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0044.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0044.910] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0044.910] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0044.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0044.910] lstrlenW (lpString="iphlpsvc") returned 8 [0044.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.910] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0044.910] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0044.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0044.910] lstrlenW (lpString="LanmanServer") returned 12 [0044.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0044.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0044.910] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0044.910] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0044.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0044.910] lstrlenW (lpString="LanmanWorkstation") returned 17 [0044.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.910] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0044.911] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0044.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0044.911] lstrlenW (lpString="lmhosts") returned 7 [0044.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0044.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0044.911] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0044.911] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0044.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0044.911] lstrlenW (lpString="MMCSS") returned 5 [0044.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0044.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0044.911] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0044.911] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0044.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0044.911] lstrlenW (lpString="MpsSvc") returned 6 [0044.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0044.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0044.911] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0044.911] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0044.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0044.911] lstrlenW (lpString="Netman") returned 6 [0044.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0044.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0044.911] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0044.911] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0044.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0044.911] lstrlenW (lpString="netprofm") returned 8 [0044.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0044.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0044.911] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0044.911] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0044.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0044.911] lstrlenW (lpString="NlaSvc") returned 6 [0044.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0044.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0044.911] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0044.912] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0044.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0044.912] lstrlenW (lpString="nsi") returned 3 [0044.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0044.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0044.912] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0044.912] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0044.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0044.912] lstrlenW (lpString="PcaSvc") returned 6 [0044.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0044.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0044.912] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0044.912] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0044.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0044.912] lstrlenW (lpString="PlugPlay") returned 8 [0044.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0044.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0044.912] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0044.912] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0044.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0044.912] lstrlenW (lpString="Power") returned 5 [0044.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0044.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0044.912] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0044.912] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0044.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0044.912] lstrlenW (lpString="ProfSvc") returned 7 [0044.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0044.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0044.912] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0044.912] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0044.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0044.912] lstrlenW (lpString="RpcEptMapper") returned 12 [0044.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.912] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0044.913] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0044.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0044.913] lstrlenW (lpString="RpcSs") returned 5 [0044.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0044.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0044.913] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0044.913] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0044.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0044.913] lstrlenW (lpString="SamSs") returned 5 [0044.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0044.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0044.913] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0044.913] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0044.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0044.913] lstrlenW (lpString="Schedule") returned 8 [0044.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0044.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0044.913] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0044.913] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0044.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0044.913] lstrlenW (lpString="SENS") returned 4 [0044.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0044.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0044.913] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0044.913] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0044.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0044.913] lstrlenW (lpString="ShellHWDetection") returned 16 [0044.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.913] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0044.913] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0044.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0044.913] lstrlenW (lpString="Spooler") returned 7 [0044.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0044.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0044.913] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0044.913] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0044.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0044.914] lstrlenW (lpString="SysMain") returned 7 [0044.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0044.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0044.914] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0044.914] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0044.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0044.914] lstrlenW (lpString="Themes") returned 6 [0044.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0044.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0044.914] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0044.914] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0044.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0044.914] lstrlenW (lpString="TrkWks") returned 6 [0044.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0044.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0044.914] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0044.914] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0044.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0044.914] lstrlenW (lpString="UxSms") returned 5 [0044.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0044.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0044.914] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0044.914] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0044.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0044.914] lstrlenW (lpString="VSS") returned 3 [0044.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0044.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0044.914] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0044.914] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0044.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0044.914] lstrlenW (lpString="WdiServiceHost") returned 14 [0044.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.914] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0044.914] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0044.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0044.915] lstrlenW (lpString="WdiSystemHost") returned 13 [0044.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.915] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0044.915] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0044.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0044.915] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0044.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.915] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0044.915] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0044.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0044.915] lstrlenW (lpString="Winmgmt") returned 7 [0044.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0044.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0044.915] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0044.915] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0044.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0044.915] lstrlenW (lpString="WPDBusEnum") returned 10 [0044.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.915] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0044.915] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0044.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0044.915] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x381d358 | out: hHeap=0x500000) returned 1 [0044.915] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c4 [0044.919] Process32FirstW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0044.920] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0044.921] lstrlenW (lpString="System") returned 6 [0044.921] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0044.921] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0044.921] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0044.921] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0044.921] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0044.921] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0044.921] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0044.921] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0044.921] lstrlenW (lpString="smss.exe") returned 8 [0044.921] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0044.921] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0044.921] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0044.921] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0044.921] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0044.921] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0044.921] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0044.921] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.922] lstrlenW (lpString="csrss.exe") returned 9 [0044.922] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0044.922] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0044.922] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0044.922] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0044.922] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0044.922] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0044.922] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0044.922] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0044.923] lstrlenW (lpString="wininit.exe") returned 11 [0044.923] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0044.923] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0044.923] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0044.923] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0044.923] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0044.923] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0044.923] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0044.923] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.923] lstrlenW (lpString="csrss.exe") returned 9 [0044.923] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0044.924] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0044.924] lstrlenW (lpString="winlogon.exe") returned 12 [0044.924] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0044.925] lstrlenW (lpString="services.exe") returned 12 [0044.925] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0044.925] lstrlenW (lpString="lsass.exe") returned 9 [0044.925] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0044.926] lstrlenW (lpString="lsm.exe") returned 7 [0044.926] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.926] lstrlenW (lpString="svchost.exe") returned 11 [0044.926] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.927] lstrlenW (lpString="svchost.exe") returned 11 [0044.927] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.927] lstrlenW (lpString="svchost.exe") returned 11 [0044.927] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.928] lstrlenW (lpString="svchost.exe") returned 11 [0044.928] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.928] lstrlenW (lpString="svchost.exe") returned 11 [0044.928] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0044.929] lstrlenW (lpString="audiodg.exe") returned 11 [0044.929] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.929] lstrlenW (lpString="svchost.exe") returned 11 [0044.929] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.930] lstrlenW (lpString="svchost.exe") returned 11 [0044.930] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0044.930] lstrlenW (lpString="dwm.exe") returned 7 [0044.930] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0044.931] lstrlenW (lpString="explorer.exe") returned 12 [0044.931] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0044.931] lstrlenW (lpString="spoolsv.exe") returned 11 [0044.931] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.932] lstrlenW (lpString="svchost.exe") returned 11 [0044.932] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.932] lstrlenW (lpString="taskhost.exe") returned 12 [0044.932] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0044.933] lstrlenW (lpString="taskeng.exe") returned 11 [0044.933] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0044.933] lstrlenW (lpString="prime.exe") returned 9 [0044.934] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0044.934] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0044.934] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0044.934] lstrlenW (lpString="financing.exe") returned 13 [0044.935] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0044.935] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0044.935] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0044.936] lstrlenW (lpString="dg hit.exe") returned 10 [0044.936] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0044.936] lstrlenW (lpString="banners_drops.exe") returned 17 [0044.936] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0044.937] lstrlenW (lpString="vacuum.exe") returned 10 [0044.937] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0044.937] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0044.937] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0044.938] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0044.938] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0044.938] lstrlenW (lpString="holocauststored.exe") returned 19 [0044.938] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0044.939] lstrlenW (lpString="mini.exe") returned 8 [0044.939] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0044.939] lstrlenW (lpString="bi_tiny.exe") returned 11 [0044.939] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0044.940] lstrlenW (lpString="mall_drawn.exe") returned 14 [0044.940] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0045.185] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0045.185] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0045.185] lstrlenW (lpString="distributed.exe") returned 15 [0045.185] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0045.186] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0045.186] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0045.187] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0045.187] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0045.187] lstrlenW (lpString="3dftp.exe") returned 9 [0045.188] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0045.188] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0045.188] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0045.190] lstrlenW (lpString="alftp.exe") returned 9 [0045.190] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0045.190] lstrlenW (lpString="barca.exe") returned 9 [0045.191] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0045.191] lstrlenW (lpString="bitkinex.exe") returned 12 [0045.191] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0045.192] lstrlenW (lpString="coreftp.exe") returned 11 [0045.192] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0045.193] lstrlenW (lpString="far.exe") returned 7 [0045.193] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0045.194] lstrlenW (lpString="filezilla.exe") returned 13 [0045.194] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0045.194] lstrlenW (lpString="flashfxp.exe") returned 12 [0045.194] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0045.195] lstrlenW (lpString="fling.exe") returned 9 [0045.195] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0045.196] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0045.196] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0045.197] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0045.197] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0045.197] lstrlenW (lpString="icq.exe") returned 7 [0045.198] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0045.198] lstrlenW (lpString="leechftp.exe") returned 12 [0045.198] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0045.199] lstrlenW (lpString="ncftp.exe") returned 9 [0045.199] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0045.200] lstrlenW (lpString="notepad.exe") returned 11 [0045.200] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0045.201] lstrlenW (lpString="operamail.exe") returned 13 [0045.201] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0045.202] lstrlenW (lpString="pidgin.exe") returned 10 [0045.202] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0045.203] lstrlenW (lpString="scriptftp.exe") returned 13 [0045.203] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0045.204] lstrlenW (lpString="skype.exe") returned 9 [0045.204] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0045.205] lstrlenW (lpString="smartftp.exe") returned 12 [0045.205] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0045.206] lstrlenW (lpString="thunderbird.exe") returned 15 [0045.206] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0045.207] lstrlenW (lpString="totalcmd.exe") returned 12 [0045.207] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0045.208] lstrlenW (lpString="trillian.exe") returned 12 [0045.208] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0045.209] lstrlenW (lpString="webdrive.exe") returned 12 [0045.209] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0045.210] lstrlenW (lpString="whatsapp.exe") returned 12 [0045.210] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0045.211] lstrlenW (lpString="winscp.exe") returned 10 [0045.211] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0045.211] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0045.212] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0045.212] lstrlenW (lpString="active-charge.exe") returned 17 [0045.212] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0045.213] lstrlenW (lpString="accupos.exe") returned 11 [0045.213] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0045.214] lstrlenW (lpString="afr38.exe") returned 9 [0045.214] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0045.215] lstrlenW (lpString="aldelo.exe") returned 10 [0045.215] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0045.216] lstrlenW (lpString="ccv_server.exe") returned 14 [0045.216] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0045.217] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0045.217] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0045.217] lstrlenW (lpString="creditservice.exe") returned 17 [0045.217] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0045.218] lstrlenW (lpString="edcsvr.exe") returned 10 [0045.218] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0045.219] lstrlenW (lpString="fpos.exe") returned 8 [0045.219] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0045.219] lstrlenW (lpString="isspos.exe") returned 10 [0045.220] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0045.502] lstrlenW (lpString="mxslipstream.exe") returned 16 [0045.507] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0045.530] lstrlenW (lpString="omnipos.exe") returned 11 [0045.530] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0045.544] lstrlenW (lpString="spcwin.exe") returned 10 [0045.545] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0045.545] lstrlenW (lpString="spgagentservice.exe") returned 19 [0045.545] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0045.546] lstrlenW (lpString="utg2.exe") returned 8 [0045.546] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0045.547] lstrlenW (lpString="focuses.exe") returned 11 [0045.547] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0045.548] lstrlenW (lpString="fi fence.exe") returned 12 [0045.548] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0045.549] lstrlenW (lpString="knight.exe") returned 10 [0045.549] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0045.549] lstrlenW (lpString="library.exe") returned 11 [0045.550] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.550] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.550] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.551] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.551] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.552] lstrlenW (lpString="taskhost.exe") returned 12 [0045.552] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0045.553] lstrlenW (lpString="winhost.exe") returned 11 [0045.553] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0045.554] lstrlenW (lpString="cmd.exe") returned 7 [0045.554] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.554] lstrlenW (lpString="conhost.exe") returned 11 [0045.554] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0045.555] lstrlenW (lpString="vssadmin.exe") returned 12 [0045.555] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0045.556] CloseHandle (hObject=0x1c4) returned 1 [0045.556] Sleep (dwMilliseconds=0x1f4) [0046.234] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3b28 [0046.234] EnumServicesStatusExW (in: hSCManager=0x5a3b28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0046.234] GetLastError () returned 0xea [0046.234] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x123e) returned 0x381d358 [0046.234] EnumServicesStatusExW (in: hSCManager=0x5a3b28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x381d358, cbBufSize=0x123e, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x381d358, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0046.235] CloseServiceHandle (hSCObject=0x5a3b28) returned 1 [0046.235] lstrlenW (lpString="Appinfo") returned 7 [0046.235] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0046.235] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0046.235] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0046.235] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0046.236] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0046.236] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0046.236] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.236] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.236] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0046.236] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0046.236] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0046.236] lstrlenW (lpString="AudioSrv") returned 8 [0046.236] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0046.236] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0046.236] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0046.236] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0046.236] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0046.236] lstrlenW (lpString="BFE") returned 3 [0046.236] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0046.236] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0046.236] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0046.236] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0046.236] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0046.236] lstrlenW (lpString="CryptSvc") returned 8 [0046.236] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0046.236] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0046.236] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0046.236] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0046.236] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0046.236] lstrlenW (lpString="CscService") returned 10 [0046.236] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0046.236] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0046.236] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0046.236] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0046.236] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0046.236] lstrlenW (lpString="DcomLaunch") returned 10 [0046.236] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.236] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.236] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0046.236] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0046.237] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0046.237] lstrlenW (lpString="Dhcp") returned 4 [0046.237] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0046.237] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0046.237] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0046.237] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0046.237] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0046.237] lstrlenW (lpString="Dnscache") returned 8 [0046.237] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0046.237] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0046.237] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0046.237] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0046.237] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0046.237] lstrlenW (lpString="DPS") returned 3 [0046.237] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0046.237] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0046.237] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0046.237] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0046.237] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0046.237] lstrlenW (lpString="eventlog") returned 8 [0046.237] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0046.237] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0046.237] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0046.237] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0046.237] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0046.237] lstrlenW (lpString="EventSystem") returned 11 [0046.237] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0046.237] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0046.237] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0046.237] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0046.237] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0046.237] lstrlenW (lpString="gpsvc") returned 5 [0046.237] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0046.237] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0046.237] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0046.237] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0046.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0046.238] lstrlenW (lpString="iphlpsvc") returned 8 [0046.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.238] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0046.238] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0046.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0046.238] lstrlenW (lpString="LanmanServer") returned 12 [0046.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0046.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0046.238] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0046.238] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0046.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0046.238] lstrlenW (lpString="LanmanWorkstation") returned 17 [0046.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.238] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0046.238] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0046.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0046.238] lstrlenW (lpString="lmhosts") returned 7 [0046.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0046.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0046.238] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0046.238] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0046.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0046.238] lstrlenW (lpString="MMCSS") returned 5 [0046.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0046.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0046.238] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0046.238] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0046.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0046.238] lstrlenW (lpString="MpsSvc") returned 6 [0046.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0046.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0046.238] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0046.238] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0046.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0046.239] lstrlenW (lpString="Netman") returned 6 [0046.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0046.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0046.239] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0046.239] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0046.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0046.239] lstrlenW (lpString="netprofm") returned 8 [0046.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0046.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0046.239] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0046.239] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0046.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0046.239] lstrlenW (lpString="NlaSvc") returned 6 [0046.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0046.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0046.239] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0046.239] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0046.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0046.239] lstrlenW (lpString="nsi") returned 3 [0046.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0046.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0046.239] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0046.239] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0046.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0046.239] lstrlenW (lpString="PcaSvc") returned 6 [0046.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0046.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0046.239] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0046.239] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0046.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0046.239] lstrlenW (lpString="PlugPlay") returned 8 [0046.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0046.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0046.239] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0046.239] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0046.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0046.240] lstrlenW (lpString="Power") returned 5 [0046.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0046.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0046.240] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0046.240] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0046.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0046.240] lstrlenW (lpString="ProfSvc") returned 7 [0046.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0046.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0046.240] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0046.240] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0046.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0046.240] lstrlenW (lpString="RpcEptMapper") returned 12 [0046.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.240] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0046.240] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0046.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0046.240] lstrlenW (lpString="RpcSs") returned 5 [0046.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0046.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0046.240] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0046.240] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0046.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0046.240] lstrlenW (lpString="SamSs") returned 5 [0046.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0046.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0046.240] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0046.240] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0046.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0046.240] lstrlenW (lpString="Schedule") returned 8 [0046.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0046.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0046.240] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0046.240] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0046.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0046.241] lstrlenW (lpString="SENS") returned 4 [0046.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0046.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0046.241] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0046.241] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0046.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0046.241] lstrlenW (lpString="ShellHWDetection") returned 16 [0046.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.241] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0046.241] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0046.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0046.241] lstrlenW (lpString="Spooler") returned 7 [0046.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0046.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0046.241] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0046.241] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0046.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0046.241] lstrlenW (lpString="SysMain") returned 7 [0046.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0046.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0046.241] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0046.241] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0046.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0046.241] lstrlenW (lpString="Themes") returned 6 [0046.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0046.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0046.241] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0046.241] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0046.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0046.241] lstrlenW (lpString="TrkWks") returned 6 [0046.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0046.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0046.241] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0046.241] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0046.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0046.242] lstrlenW (lpString="UxSms") returned 5 [0046.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0046.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0046.242] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0046.242] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0046.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0046.242] lstrlenW (lpString="VSS") returned 3 [0046.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0046.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0046.242] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0046.242] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0046.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0046.242] lstrlenW (lpString="WdiServiceHost") returned 14 [0046.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.242] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0046.242] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0046.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0046.242] lstrlenW (lpString="WdiSystemHost") returned 13 [0046.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.242] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0046.242] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0046.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0046.242] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0046.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.242] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0046.242] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0046.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0046.242] lstrlenW (lpString="Winmgmt") returned 7 [0046.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0046.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0046.242] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0046.242] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0046.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0046.243] lstrlenW (lpString="WPDBusEnum") returned 10 [0046.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.243] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0046.243] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0046.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0046.243] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x381d358 | out: hHeap=0x500000) returned 1 [0046.243] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0046.247] Process32FirstW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0046.247] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0046.248] lstrlenW (lpString="System") returned 6 [0046.248] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0046.248] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0046.248] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0046.248] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0046.248] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0046.248] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0046.248] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0046.248] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0046.249] lstrlenW (lpString="smss.exe") returned 8 [0046.249] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0046.249] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0046.249] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0046.249] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0046.249] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0046.249] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0046.249] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0046.249] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.249] lstrlenW (lpString="csrss.exe") returned 9 [0046.249] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0046.249] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0046.249] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0046.250] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0046.250] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0046.250] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0046.250] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0046.250] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0046.250] lstrlenW (lpString="wininit.exe") returned 11 [0046.250] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0046.250] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0046.250] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0046.250] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0046.250] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0046.250] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0046.250] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0046.250] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.251] lstrlenW (lpString="csrss.exe") returned 9 [0046.251] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0046.251] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0046.252] lstrlenW (lpString="winlogon.exe") returned 12 [0046.252] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0046.252] lstrlenW (lpString="services.exe") returned 12 [0046.252] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0046.253] lstrlenW (lpString="lsass.exe") returned 9 [0046.253] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0046.253] lstrlenW (lpString="lsm.exe") returned 7 [0046.253] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.254] lstrlenW (lpString="svchost.exe") returned 11 [0046.254] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.254] lstrlenW (lpString="svchost.exe") returned 11 [0046.254] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.255] lstrlenW (lpString="svchost.exe") returned 11 [0046.255] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.255] lstrlenW (lpString="svchost.exe") returned 11 [0046.255] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.256] lstrlenW (lpString="svchost.exe") returned 11 [0046.256] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0046.256] lstrlenW (lpString="audiodg.exe") returned 11 [0046.256] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.257] lstrlenW (lpString="svchost.exe") returned 11 [0046.257] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.257] lstrlenW (lpString="svchost.exe") returned 11 [0046.257] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0046.258] lstrlenW (lpString="dwm.exe") returned 7 [0046.258] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0046.258] lstrlenW (lpString="explorer.exe") returned 12 [0046.258] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0046.259] lstrlenW (lpString="spoolsv.exe") returned 11 [0046.259] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.259] lstrlenW (lpString="svchost.exe") returned 11 [0046.259] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.260] lstrlenW (lpString="taskhost.exe") returned 12 [0046.260] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0046.260] lstrlenW (lpString="taskeng.exe") returned 11 [0046.261] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0046.262] lstrlenW (lpString="prime.exe") returned 9 [0046.262] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0046.262] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0046.262] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0046.263] lstrlenW (lpString="financing.exe") returned 13 [0046.263] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0046.263] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0046.263] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0046.264] lstrlenW (lpString="dg hit.exe") returned 10 [0046.264] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0046.264] lstrlenW (lpString="banners_drops.exe") returned 17 [0046.264] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0046.265] lstrlenW (lpString="vacuum.exe") returned 10 [0046.265] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0046.265] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0046.265] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0046.266] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0046.266] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0046.266] lstrlenW (lpString="holocauststored.exe") returned 19 [0046.266] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0046.267] lstrlenW (lpString="mini.exe") returned 8 [0046.267] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0046.268] lstrlenW (lpString="bi_tiny.exe") returned 11 [0046.268] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0046.268] lstrlenW (lpString="mall_drawn.exe") returned 14 [0046.268] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0046.269] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0046.269] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0046.642] lstrlenW (lpString="distributed.exe") returned 15 [0046.642] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0046.663] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0046.663] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0046.663] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0046.663] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0046.664] lstrlenW (lpString="3dftp.exe") returned 9 [0046.664] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0046.665] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0046.665] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0046.665] lstrlenW (lpString="alftp.exe") returned 9 [0046.665] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0046.666] lstrlenW (lpString="barca.exe") returned 9 [0046.666] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0046.667] lstrlenW (lpString="bitkinex.exe") returned 12 [0046.667] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0046.668] lstrlenW (lpString="coreftp.exe") returned 11 [0046.668] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0046.668] lstrlenW (lpString="far.exe") returned 7 [0046.668] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0046.669] lstrlenW (lpString="filezilla.exe") returned 13 [0046.669] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0046.670] lstrlenW (lpString="flashfxp.exe") returned 12 [0046.670] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0046.670] lstrlenW (lpString="fling.exe") returned 9 [0046.670] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0046.671] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0046.671] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0046.672] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0046.672] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0046.672] lstrlenW (lpString="icq.exe") returned 7 [0046.672] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0046.673] lstrlenW (lpString="leechftp.exe") returned 12 [0046.673] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0046.674] lstrlenW (lpString="ncftp.exe") returned 9 [0046.674] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0046.674] lstrlenW (lpString="notepad.exe") returned 11 [0046.675] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0046.675] lstrlenW (lpString="operamail.exe") returned 13 [0046.675] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0046.676] lstrlenW (lpString="pidgin.exe") returned 10 [0046.676] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0046.677] lstrlenW (lpString="scriptftp.exe") returned 13 [0046.677] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0046.678] lstrlenW (lpString="skype.exe") returned 9 [0046.678] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0046.679] lstrlenW (lpString="smartftp.exe") returned 12 [0046.679] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0046.680] lstrlenW (lpString="thunderbird.exe") returned 15 [0046.680] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0046.681] lstrlenW (lpString="totalcmd.exe") returned 12 [0046.681] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0046.682] lstrlenW (lpString="trillian.exe") returned 12 [0046.682] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0046.683] lstrlenW (lpString="webdrive.exe") returned 12 [0046.683] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0046.684] lstrlenW (lpString="whatsapp.exe") returned 12 [0046.684] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0046.685] lstrlenW (lpString="winscp.exe") returned 10 [0046.685] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0046.686] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0046.686] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0046.687] lstrlenW (lpString="active-charge.exe") returned 17 [0046.687] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0046.688] lstrlenW (lpString="accupos.exe") returned 11 [0046.688] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0046.689] lstrlenW (lpString="afr38.exe") returned 9 [0046.689] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0046.690] lstrlenW (lpString="aldelo.exe") returned 10 [0046.690] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0046.691] lstrlenW (lpString="ccv_server.exe") returned 14 [0046.691] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0046.692] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0046.692] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0046.693] lstrlenW (lpString="creditservice.exe") returned 17 [0046.693] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0046.694] lstrlenW (lpString="edcsvr.exe") returned 10 [0046.694] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0046.695] lstrlenW (lpString="fpos.exe") returned 8 [0046.695] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0046.695] lstrlenW (lpString="isspos.exe") returned 10 [0046.695] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0046.696] lstrlenW (lpString="mxslipstream.exe") returned 16 [0046.696] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0046.697] lstrlenW (lpString="omnipos.exe") returned 11 [0046.697] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0046.878] lstrlenW (lpString="spcwin.exe") returned 10 [0046.878] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0046.879] lstrlenW (lpString="spgagentservice.exe") returned 19 [0046.879] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0046.879] lstrlenW (lpString="utg2.exe") returned 8 [0046.879] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0046.880] lstrlenW (lpString="focuses.exe") returned 11 [0046.880] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0046.881] lstrlenW (lpString="fi fence.exe") returned 12 [0046.881] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0046.881] lstrlenW (lpString="knight.exe") returned 10 [0046.881] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0046.882] lstrlenW (lpString="library.exe") returned 11 [0046.882] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.882] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0046.882] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.883] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0046.883] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.884] lstrlenW (lpString="taskhost.exe") returned 12 [0046.884] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0046.884] lstrlenW (lpString="winhost.exe") returned 11 [0046.884] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.885] lstrlenW (lpString="cmd.exe") returned 7 [0046.885] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.886] lstrlenW (lpString="conhost.exe") returned 11 [0046.886] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0046.886] lstrlenW (lpString="vssadmin.exe") returned 12 [0046.886] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0046.887] lstrlenW (lpString="VSSVC.exe") returned 9 [0046.887] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0046.887] CloseHandle (hObject=0x208) returned 1 [0046.887] Sleep (dwMilliseconds=0x1f4) [0047.537] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3b28 [0047.542] EnumServicesStatusExW (in: hSCManager=0x5a3b28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0047.551] GetLastError () returned 0xea [0047.551] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x123e) returned 0x381d358 [0047.571] EnumServicesStatusExW (in: hSCManager=0x5a3b28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x381d358, cbBufSize=0x123e, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x381d358, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0047.572] CloseServiceHandle (hSCObject=0x5a3b28) returned 1 [0047.572] lstrlenW (lpString="Appinfo") returned 7 [0047.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0047.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0047.572] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0047.572] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0047.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0047.573] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0047.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.573] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0047.573] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0047.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0047.573] lstrlenW (lpString="AudioSrv") returned 8 [0047.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0047.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0047.573] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0047.573] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0047.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0047.573] lstrlenW (lpString="BFE") returned 3 [0047.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0047.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0047.573] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0047.573] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0047.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0047.573] lstrlenW (lpString="CryptSvc") returned 8 [0047.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0047.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0047.573] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0047.573] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0047.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0047.573] lstrlenW (lpString="CscService") returned 10 [0047.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0047.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0047.573] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0047.573] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0047.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0047.573] lstrlenW (lpString="DcomLaunch") returned 10 [0047.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.573] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0047.573] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0047.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0047.574] lstrlenW (lpString="Dhcp") returned 4 [0047.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0047.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0047.574] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0047.574] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0047.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0047.574] lstrlenW (lpString="Dnscache") returned 8 [0047.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0047.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0047.574] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0047.574] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0047.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0047.574] lstrlenW (lpString="DPS") returned 3 [0047.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0047.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0047.574] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0047.574] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0047.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0047.574] lstrlenW (lpString="eventlog") returned 8 [0047.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0047.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0047.574] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0047.574] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0047.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0047.574] lstrlenW (lpString="EventSystem") returned 11 [0047.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0047.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0047.574] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0047.574] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0047.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0047.574] lstrlenW (lpString="gpsvc") returned 5 [0047.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0047.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0047.574] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0047.574] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0047.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0047.574] lstrlenW (lpString="iphlpsvc") returned 8 [0047.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.575] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0047.575] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0047.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0047.575] lstrlenW (lpString="LanmanServer") returned 12 [0047.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0047.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0047.575] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0047.575] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0047.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0047.575] lstrlenW (lpString="LanmanWorkstation") returned 17 [0047.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.575] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0047.575] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0047.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0047.575] lstrlenW (lpString="lmhosts") returned 7 [0047.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0047.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0047.575] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0047.575] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0047.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0047.575] lstrlenW (lpString="MMCSS") returned 5 [0047.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0047.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0047.575] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0047.575] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0047.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0047.575] lstrlenW (lpString="MpsSvc") returned 6 [0047.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0047.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0047.575] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0047.575] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0047.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0047.576] lstrlenW (lpString="Netman") returned 6 [0047.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0047.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0047.576] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0047.576] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0047.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0047.576] lstrlenW (lpString="netprofm") returned 8 [0047.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0047.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0047.576] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0047.576] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0047.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0047.576] lstrlenW (lpString="NlaSvc") returned 6 [0047.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0047.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0047.576] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0047.576] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0047.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0047.576] lstrlenW (lpString="nsi") returned 3 [0047.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0047.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0047.576] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0047.576] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0047.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0047.576] lstrlenW (lpString="PcaSvc") returned 6 [0047.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0047.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0047.576] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0047.576] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0047.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0047.577] lstrlenW (lpString="PlugPlay") returned 8 [0047.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0047.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0047.577] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0047.577] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0047.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0047.577] lstrlenW (lpString="Power") returned 5 [0047.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0047.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0047.577] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0047.577] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0047.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0047.577] lstrlenW (lpString="ProfSvc") returned 7 [0047.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0047.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0047.577] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0047.577] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0047.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0047.577] lstrlenW (lpString="RpcEptMapper") returned 12 [0047.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.577] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0047.577] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0047.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0047.577] lstrlenW (lpString="RpcSs") returned 5 [0047.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0047.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0047.577] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0047.577] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0047.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0047.577] lstrlenW (lpString="SamSs") returned 5 [0047.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0047.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0047.578] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0047.578] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0047.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0047.578] lstrlenW (lpString="Schedule") returned 8 [0047.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0047.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0047.578] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0047.578] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0047.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0047.578] lstrlenW (lpString="SENS") returned 4 [0047.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0047.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0047.578] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0047.578] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0047.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0047.578] lstrlenW (lpString="ShellHWDetection") returned 16 [0047.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.578] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0047.578] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0047.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0047.578] lstrlenW (lpString="Spooler") returned 7 [0047.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0047.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0047.578] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0047.578] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0047.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0047.578] lstrlenW (lpString="SysMain") returned 7 [0047.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0047.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0047.578] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0047.579] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0047.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0047.579] lstrlenW (lpString="Themes") returned 6 [0047.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0047.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0047.579] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0047.579] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0047.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0047.579] lstrlenW (lpString="TrkWks") returned 6 [0047.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0047.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0047.579] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0047.579] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0047.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0047.579] lstrlenW (lpString="UxSms") returned 5 [0047.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0047.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0047.579] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0047.579] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0047.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0047.579] lstrlenW (lpString="VSS") returned 3 [0047.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0047.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0047.579] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0047.579] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0047.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0047.579] lstrlenW (lpString="WdiServiceHost") returned 14 [0047.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.580] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0047.580] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0047.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0047.580] lstrlenW (lpString="WdiSystemHost") returned 13 [0047.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.580] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0047.580] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0047.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0047.580] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0047.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.580] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0047.580] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0047.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0047.580] lstrlenW (lpString="Winmgmt") returned 7 [0047.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0047.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0047.580] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0047.580] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0047.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0047.580] lstrlenW (lpString="WPDBusEnum") returned 10 [0047.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.580] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0047.580] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0047.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0047.581] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x381d358 | out: hHeap=0x500000) returned 1 [0047.581] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e8 [0047.585] Process32FirstW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0047.585] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0047.586] lstrlenW (lpString="System") returned 6 [0047.586] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0047.586] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0047.586] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0047.586] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0047.586] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0047.586] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0047.586] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0047.586] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0047.586] lstrlenW (lpString="smss.exe") returned 8 [0047.586] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0047.586] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0047.587] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0047.587] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0047.587] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0047.587] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0047.587] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0047.587] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.588] lstrlenW (lpString="csrss.exe") returned 9 [0047.588] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0047.588] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0047.588] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0047.588] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0047.588] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0047.588] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0047.588] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0047.588] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0047.588] lstrlenW (lpString="wininit.exe") returned 11 [0047.588] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0047.588] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0047.588] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0047.588] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0047.588] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0047.588] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0047.588] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0047.588] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.589] lstrlenW (lpString="csrss.exe") returned 9 [0047.589] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0047.589] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0047.590] lstrlenW (lpString="winlogon.exe") returned 12 [0047.590] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0047.590] lstrlenW (lpString="services.exe") returned 12 [0047.590] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0047.591] lstrlenW (lpString="lsass.exe") returned 9 [0047.591] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0047.592] lstrlenW (lpString="lsm.exe") returned 7 [0047.592] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.592] lstrlenW (lpString="svchost.exe") returned 11 [0047.592] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.593] lstrlenW (lpString="svchost.exe") returned 11 [0047.593] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.593] lstrlenW (lpString="svchost.exe") returned 11 [0047.593] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.594] lstrlenW (lpString="svchost.exe") returned 11 [0047.594] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.594] lstrlenW (lpString="svchost.exe") returned 11 [0047.594] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0047.595] lstrlenW (lpString="audiodg.exe") returned 11 [0047.595] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.596] lstrlenW (lpString="svchost.exe") returned 11 [0047.596] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.596] lstrlenW (lpString="svchost.exe") returned 11 [0047.596] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0047.597] lstrlenW (lpString="dwm.exe") returned 7 [0047.597] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0047.597] lstrlenW (lpString="explorer.exe") returned 12 [0047.597] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0047.598] lstrlenW (lpString="spoolsv.exe") returned 11 [0047.598] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.598] lstrlenW (lpString="svchost.exe") returned 11 [0047.599] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.599] lstrlenW (lpString="taskhost.exe") returned 12 [0047.599] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0047.600] lstrlenW (lpString="taskeng.exe") returned 11 [0047.600] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0047.600] lstrlenW (lpString="prime.exe") returned 9 [0047.600] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0047.601] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0047.601] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0047.602] lstrlenW (lpString="financing.exe") returned 13 [0047.602] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0047.602] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0047.602] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0047.603] lstrlenW (lpString="dg hit.exe") returned 10 [0047.603] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0047.603] lstrlenW (lpString="banners_drops.exe") returned 17 [0047.603] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0047.604] lstrlenW (lpString="vacuum.exe") returned 10 [0047.604] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0047.604] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0047.604] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0047.866] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0047.866] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0047.867] lstrlenW (lpString="holocauststored.exe") returned 19 [0047.867] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0047.867] lstrlenW (lpString="mini.exe") returned 8 [0047.867] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0047.868] lstrlenW (lpString="bi_tiny.exe") returned 11 [0047.868] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0047.868] lstrlenW (lpString="mall_drawn.exe") returned 14 [0047.869] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0047.869] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0047.869] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0047.916] lstrlenW (lpString="distributed.exe") returned 15 [0047.916] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0047.917] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0047.917] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0047.917] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0047.917] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0047.918] lstrlenW (lpString="3dftp.exe") returned 9 [0047.918] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0047.918] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0047.918] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0047.919] lstrlenW (lpString="alftp.exe") returned 9 [0047.919] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0047.919] lstrlenW (lpString="barca.exe") returned 9 [0047.919] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0047.920] lstrlenW (lpString="bitkinex.exe") returned 12 [0047.920] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0047.920] lstrlenW (lpString="coreftp.exe") returned 11 [0047.920] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0047.921] lstrlenW (lpString="far.exe") returned 7 [0047.921] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0047.921] lstrlenW (lpString="filezilla.exe") returned 13 [0047.921] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0047.922] lstrlenW (lpString="flashfxp.exe") returned 12 [0047.922] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0047.922] lstrlenW (lpString="fling.exe") returned 9 [0047.922] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0047.923] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0047.923] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0047.923] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0047.923] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0047.924] lstrlenW (lpString="icq.exe") returned 7 [0047.924] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0047.925] lstrlenW (lpString="leechftp.exe") returned 12 [0047.925] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0047.925] lstrlenW (lpString="ncftp.exe") returned 9 [0047.925] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0047.926] lstrlenW (lpString="notepad.exe") returned 11 [0047.926] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0047.926] lstrlenW (lpString="operamail.exe") returned 13 [0047.926] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0047.927] lstrlenW (lpString="pidgin.exe") returned 10 [0047.927] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0047.928] lstrlenW (lpString="scriptftp.exe") returned 13 [0047.928] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0047.928] lstrlenW (lpString="skype.exe") returned 9 [0047.928] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0047.929] lstrlenW (lpString="smartftp.exe") returned 12 [0047.929] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0047.930] lstrlenW (lpString="thunderbird.exe") returned 15 [0047.930] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0047.931] lstrlenW (lpString="totalcmd.exe") returned 12 [0047.931] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0047.932] lstrlenW (lpString="trillian.exe") returned 12 [0047.932] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0047.940] lstrlenW (lpString="webdrive.exe") returned 12 [0047.940] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0047.941] lstrlenW (lpString="whatsapp.exe") returned 12 [0047.941] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0047.942] lstrlenW (lpString="winscp.exe") returned 10 [0047.942] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0047.942] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0047.942] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0047.943] lstrlenW (lpString="active-charge.exe") returned 17 [0047.943] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0047.944] lstrlenW (lpString="accupos.exe") returned 11 [0047.944] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0047.945] lstrlenW (lpString="afr38.exe") returned 9 [0047.945] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0047.945] lstrlenW (lpString="aldelo.exe") returned 10 [0047.945] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0047.951] lstrlenW (lpString="ccv_server.exe") returned 14 [0047.951] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0047.964] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0047.964] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0047.973] lstrlenW (lpString="creditservice.exe") returned 17 [0047.973] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0047.976] lstrlenW (lpString="edcsvr.exe") returned 10 [0047.976] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0047.976] lstrlenW (lpString="fpos.exe") returned 8 [0047.977] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0047.977] lstrlenW (lpString="isspos.exe") returned 10 [0047.977] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0047.978] lstrlenW (lpString="mxslipstream.exe") returned 16 [0047.978] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0047.978] lstrlenW (lpString="omnipos.exe") returned 11 [0047.979] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0048.088] lstrlenW (lpString="spcwin.exe") returned 10 [0048.088] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0048.089] lstrlenW (lpString="spgagentservice.exe") returned 19 [0048.089] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0048.089] lstrlenW (lpString="utg2.exe") returned 8 [0048.089] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0048.090] lstrlenW (lpString="focuses.exe") returned 11 [0048.090] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0048.090] lstrlenW (lpString="fi fence.exe") returned 12 [0048.091] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0048.091] lstrlenW (lpString="knight.exe") returned 10 [0048.091] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0048.092] lstrlenW (lpString="library.exe") returned 11 [0048.092] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.092] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.092] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.093] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.093] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.094] lstrlenW (lpString="taskhost.exe") returned 12 [0048.094] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0048.094] lstrlenW (lpString="winhost.exe") returned 11 [0048.094] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.095] lstrlenW (lpString="cmd.exe") returned 7 [0048.095] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.096] lstrlenW (lpString="conhost.exe") returned 11 [0048.096] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0048.096] lstrlenW (lpString="vssadmin.exe") returned 12 [0048.096] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0048.097] lstrlenW (lpString="VSSVC.exe") returned 9 [0048.097] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0048.097] CloseHandle (hObject=0x1e8) returned 1 [0048.097] Sleep (dwMilliseconds=0x1f4) [0049.352] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3bf0 [0049.462] EnumServicesStatusExW (in: hSCManager=0x5a3bf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0049.512] GetLastError () returned 0xea [0049.512] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x123e) returned 0x3817128 [0049.513] EnumServicesStatusExW (in: hSCManager=0x5a3bf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3817128, cbBufSize=0x123e, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3817128, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0049.553] CloseServiceHandle (hSCObject=0x5a3bf0) returned 1 [0049.565] lstrlenW (lpString="Appinfo") returned 7 [0049.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0049.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0049.565] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0049.565] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0049.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0049.565] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0049.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.565] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0049.565] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0049.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0049.565] lstrlenW (lpString="AudioSrv") returned 8 [0049.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0049.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0049.565] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0049.565] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0049.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0049.565] lstrlenW (lpString="BFE") returned 3 [0049.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0049.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0049.565] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0049.565] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0049.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0049.566] lstrlenW (lpString="CryptSvc") returned 8 [0049.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0049.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0049.566] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0049.566] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0049.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0049.566] lstrlenW (lpString="CscService") returned 10 [0049.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0049.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0049.566] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0049.566] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0049.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0049.566] lstrlenW (lpString="DcomLaunch") returned 10 [0049.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.566] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0049.566] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0049.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0049.566] lstrlenW (lpString="Dhcp") returned 4 [0049.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0049.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0049.566] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0049.566] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0049.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0049.566] lstrlenW (lpString="Dnscache") returned 8 [0049.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0049.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0049.566] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0049.566] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0049.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0049.566] lstrlenW (lpString="DPS") returned 3 [0049.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0049.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0049.566] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0049.567] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0049.567] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0049.567] lstrlenW (lpString="eventlog") returned 8 [0049.567] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0049.567] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0049.567] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0049.567] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0049.567] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0049.567] lstrlenW (lpString="EventSystem") returned 11 [0049.567] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0049.567] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0049.567] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0049.567] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0049.567] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0049.567] lstrlenW (lpString="gpsvc") returned 5 [0049.567] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0049.567] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0049.567] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0049.567] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0049.567] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0049.567] lstrlenW (lpString="iphlpsvc") returned 8 [0049.567] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.567] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.567] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0049.567] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0049.567] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0049.567] lstrlenW (lpString="LanmanServer") returned 12 [0049.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0049.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0049.568] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0049.568] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0049.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0049.568] lstrlenW (lpString="LanmanWorkstation") returned 17 [0049.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.568] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0049.568] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0049.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0049.568] lstrlenW (lpString="lmhosts") returned 7 [0049.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0049.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0049.568] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0049.568] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0049.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0049.568] lstrlenW (lpString="MMCSS") returned 5 [0049.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0049.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0049.568] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0049.568] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0049.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0049.568] lstrlenW (lpString="MpsSvc") returned 6 [0049.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0049.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0049.568] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0049.569] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0049.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0049.569] lstrlenW (lpString="Netman") returned 6 [0049.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0049.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0049.569] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0049.569] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0049.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0049.569] lstrlenW (lpString="netprofm") returned 8 [0049.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0049.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0049.569] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0049.569] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0049.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0049.569] lstrlenW (lpString="NlaSvc") returned 6 [0049.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0049.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0049.569] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0049.569] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0049.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0049.569] lstrlenW (lpString="nsi") returned 3 [0049.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0049.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0049.569] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0049.569] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0049.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0049.569] lstrlenW (lpString="PcaSvc") returned 6 [0049.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0049.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0049.569] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0049.569] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0049.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0049.569] lstrlenW (lpString="PlugPlay") returned 8 [0049.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0049.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0049.569] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0049.570] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0049.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0049.570] lstrlenW (lpString="Power") returned 5 [0049.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0049.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0049.570] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0049.570] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0049.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0049.570] lstrlenW (lpString="ProfSvc") returned 7 [0049.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0049.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0049.570] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0049.570] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0049.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0049.570] lstrlenW (lpString="RpcEptMapper") returned 12 [0049.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.570] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0049.570] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0049.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0049.570] lstrlenW (lpString="RpcSs") returned 5 [0049.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0049.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0049.570] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0049.570] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0049.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0049.570] lstrlenW (lpString="SamSs") returned 5 [0049.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0049.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0049.571] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0049.571] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0049.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0049.571] lstrlenW (lpString="Schedule") returned 8 [0049.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0049.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0049.571] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0049.571] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0049.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0049.571] lstrlenW (lpString="SENS") returned 4 [0049.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0049.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0049.571] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0049.571] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0049.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0049.571] lstrlenW (lpString="ShellHWDetection") returned 16 [0049.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.571] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0049.571] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0049.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0049.571] lstrlenW (lpString="Spooler") returned 7 [0049.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0049.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0049.572] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0049.572] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0049.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0049.572] lstrlenW (lpString="SysMain") returned 7 [0049.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0049.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0049.573] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0049.573] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0049.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0049.573] lstrlenW (lpString="Themes") returned 6 [0049.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0049.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0049.573] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0049.573] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0049.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0049.573] lstrlenW (lpString="TrkWks") returned 6 [0049.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0049.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0049.573] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0049.573] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0049.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0049.573] lstrlenW (lpString="UxSms") returned 5 [0049.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0049.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0049.573] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0049.573] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0049.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0049.573] lstrlenW (lpString="VSS") returned 3 [0049.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0049.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0049.573] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0049.574] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0049.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0049.574] lstrlenW (lpString="WdiServiceHost") returned 14 [0049.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.574] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0049.574] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0049.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0049.574] lstrlenW (lpString="WdiSystemHost") returned 13 [0049.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.574] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0049.574] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0049.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0049.574] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0049.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.574] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0049.574] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0049.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0049.574] lstrlenW (lpString="Winmgmt") returned 7 [0049.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0049.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0049.574] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0049.574] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0049.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0049.574] lstrlenW (lpString="WPDBusEnum") returned 10 [0049.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.574] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0049.574] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0049.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0049.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3817128 | out: hHeap=0x500000) returned 1 [0049.575] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e8 [0049.578] Process32FirstW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.579] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.580] lstrlenW (lpString="System") returned 6 [0049.580] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0049.580] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0049.580] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0049.580] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0049.580] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0049.580] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0049.580] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0049.580] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.580] lstrlenW (lpString="smss.exe") returned 8 [0049.580] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0049.580] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0049.580] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0049.580] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0049.580] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0049.580] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0049.581] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0049.581] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.581] lstrlenW (lpString="csrss.exe") returned 9 [0049.581] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0049.581] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0049.581] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0049.581] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0049.581] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0049.581] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0049.581] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0049.581] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.582] lstrlenW (lpString="wininit.exe") returned 11 [0049.582] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0049.582] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0049.582] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0049.582] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0049.582] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0049.582] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0049.582] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0049.582] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.582] lstrlenW (lpString="csrss.exe") returned 9 [0049.582] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0049.583] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.583] lstrlenW (lpString="winlogon.exe") returned 12 [0049.583] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.584] lstrlenW (lpString="services.exe") returned 12 [0049.584] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.584] lstrlenW (lpString="lsass.exe") returned 9 [0049.584] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0049.585] lstrlenW (lpString="lsm.exe") returned 7 [0049.585] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.585] lstrlenW (lpString="svchost.exe") returned 11 [0049.585] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.586] lstrlenW (lpString="svchost.exe") returned 11 [0049.586] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.586] lstrlenW (lpString="svchost.exe") returned 11 [0049.586] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.587] lstrlenW (lpString="svchost.exe") returned 11 [0049.587] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.587] lstrlenW (lpString="svchost.exe") returned 11 [0049.587] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.588] lstrlenW (lpString="audiodg.exe") returned 11 [0049.588] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.588] lstrlenW (lpString="svchost.exe") returned 11 [0049.589] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.589] lstrlenW (lpString="svchost.exe") returned 11 [0049.589] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.589] lstrlenW (lpString="dwm.exe") returned 7 [0049.590] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.590] lstrlenW (lpString="explorer.exe") returned 12 [0049.590] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.591] lstrlenW (lpString="spoolsv.exe") returned 11 [0049.591] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.591] lstrlenW (lpString="svchost.exe") returned 11 [0049.591] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.592] lstrlenW (lpString="taskhost.exe") returned 12 [0049.592] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0049.592] lstrlenW (lpString="taskeng.exe") returned 11 [0049.592] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0049.593] lstrlenW (lpString="prime.exe") returned 9 [0049.593] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0049.593] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0049.593] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0049.594] lstrlenW (lpString="financing.exe") returned 13 [0049.594] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0049.594] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0049.594] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0049.595] lstrlenW (lpString="dg hit.exe") returned 10 [0049.595] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0049.595] lstrlenW (lpString="banners_drops.exe") returned 17 [0049.595] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0049.596] lstrlenW (lpString="vacuum.exe") returned 10 [0049.596] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0049.596] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0049.596] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0049.597] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0049.597] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0049.597] lstrlenW (lpString="holocauststored.exe") returned 19 [0049.597] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0049.598] lstrlenW (lpString="mini.exe") returned 8 [0049.598] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0049.598] lstrlenW (lpString="bi_tiny.exe") returned 11 [0049.598] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0050.132] lstrlenW (lpString="mall_drawn.exe") returned 14 [0050.132] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0050.133] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0050.133] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0050.133] lstrlenW (lpString="distributed.exe") returned 15 [0050.133] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0050.134] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0050.134] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0050.135] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0050.135] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0050.135] lstrlenW (lpString="3dftp.exe") returned 9 [0050.135] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0050.136] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0050.136] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0050.137] lstrlenW (lpString="alftp.exe") returned 9 [0050.137] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0050.137] lstrlenW (lpString="barca.exe") returned 9 [0050.137] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0050.138] lstrlenW (lpString="bitkinex.exe") returned 12 [0050.138] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0050.139] lstrlenW (lpString="coreftp.exe") returned 11 [0050.139] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0050.139] lstrlenW (lpString="far.exe") returned 7 [0050.139] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0050.140] lstrlenW (lpString="filezilla.exe") returned 13 [0050.140] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0050.141] lstrlenW (lpString="flashfxp.exe") returned 12 [0050.141] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0050.141] lstrlenW (lpString="fling.exe") returned 9 [0050.141] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0050.142] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0050.142] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0050.143] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0050.143] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0050.143] lstrlenW (lpString="icq.exe") returned 7 [0050.143] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0050.145] lstrlenW (lpString="leechftp.exe") returned 12 [0050.145] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0050.145] lstrlenW (lpString="ncftp.exe") returned 9 [0050.145] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0050.146] lstrlenW (lpString="notepad.exe") returned 11 [0050.146] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0050.147] lstrlenW (lpString="operamail.exe") returned 13 [0050.147] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0050.148] lstrlenW (lpString="pidgin.exe") returned 10 [0050.148] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0050.149] lstrlenW (lpString="scriptftp.exe") returned 13 [0050.149] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0050.150] lstrlenW (lpString="skype.exe") returned 9 [0050.150] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0050.151] lstrlenW (lpString="smartftp.exe") returned 12 [0050.151] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0050.152] lstrlenW (lpString="thunderbird.exe") returned 15 [0050.152] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0050.153] lstrlenW (lpString="totalcmd.exe") returned 12 [0050.153] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0050.154] lstrlenW (lpString="trillian.exe") returned 12 [0050.154] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0050.155] lstrlenW (lpString="webdrive.exe") returned 12 [0050.155] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0050.156] lstrlenW (lpString="whatsapp.exe") returned 12 [0050.156] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0050.157] lstrlenW (lpString="winscp.exe") returned 10 [0050.157] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0050.158] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0050.158] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0050.159] lstrlenW (lpString="active-charge.exe") returned 17 [0050.159] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0050.160] lstrlenW (lpString="accupos.exe") returned 11 [0050.160] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0050.161] lstrlenW (lpString="afr38.exe") returned 9 [0050.161] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0050.162] lstrlenW (lpString="aldelo.exe") returned 10 [0050.162] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0050.163] lstrlenW (lpString="ccv_server.exe") returned 14 [0050.163] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0050.164] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0050.164] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0050.165] lstrlenW (lpString="creditservice.exe") returned 17 [0050.165] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0050.165] lstrlenW (lpString="edcsvr.exe") returned 10 [0050.165] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0050.166] lstrlenW (lpString="fpos.exe") returned 8 [0050.166] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0050.167] lstrlenW (lpString="isspos.exe") returned 10 [0050.167] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0050.168] lstrlenW (lpString="mxslipstream.exe") returned 16 [0050.168] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0050.169] lstrlenW (lpString="omnipos.exe") returned 11 [0050.169] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0050.226] lstrlenW (lpString="spcwin.exe") returned 10 [0050.226] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0050.226] lstrlenW (lpString="spgagentservice.exe") returned 19 [0050.226] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0050.227] lstrlenW (lpString="utg2.exe") returned 8 [0050.227] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0050.228] lstrlenW (lpString="focuses.exe") returned 11 [0050.228] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0050.228] lstrlenW (lpString="fi fence.exe") returned 12 [0050.228] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0050.229] lstrlenW (lpString="knight.exe") returned 10 [0050.229] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0050.230] lstrlenW (lpString="library.exe") returned 11 [0050.230] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0050.230] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0050.230] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0050.231] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0050.231] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.231] lstrlenW (lpString="taskhost.exe") returned 12 [0050.232] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0050.232] lstrlenW (lpString="winhost.exe") returned 11 [0050.232] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0050.233] lstrlenW (lpString="cmd.exe") returned 7 [0050.233] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0050.233] lstrlenW (lpString="conhost.exe") returned 11 [0050.233] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0050.234] lstrlenW (lpString="vssadmin.exe") returned 12 [0050.234] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0050.234] lstrlenW (lpString="VSSVC.exe") returned 9 [0050.235] Process32NextW (in: hSnapshot=0x1e8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0050.235] CloseHandle (hObject=0x1e8) returned 1 [0050.235] Sleep (dwMilliseconds=0x1f4) [0050.880] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3bf0 [0050.881] EnumServicesStatusExW (in: hSCManager=0x5a3bf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0050.881] GetLastError () returned 0xea [0050.881] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3817128 [0050.882] EnumServicesStatusExW (in: hSCManager=0x5a3bf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3817128, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3817128, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0050.883] CloseServiceHandle (hSCObject=0x5a3bf0) returned 1 [0050.883] lstrlenW (lpString="Appinfo") returned 7 [0050.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.883] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.883] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.883] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.883] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.883] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.883] lstrlenW (lpString="AudioSrv") returned 8 [0050.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0050.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0050.883] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0050.883] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0050.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0050.883] lstrlenW (lpString="BFE") returned 3 [0050.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.883] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.883] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.883] lstrlenW (lpString="CryptSvc") returned 8 [0050.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.884] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.884] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.884] lstrlenW (lpString="CscService") returned 10 [0050.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0050.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0050.884] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0050.884] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0050.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0050.884] lstrlenW (lpString="DcomLaunch") returned 10 [0050.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.884] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.884] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.884] lstrlenW (lpString="Dhcp") returned 4 [0050.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.884] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.884] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.884] lstrlenW (lpString="Dnscache") returned 8 [0050.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.884] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.884] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.884] lstrlenW (lpString="DPS") returned 3 [0050.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.884] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.884] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.884] lstrlenW (lpString="eventlog") returned 8 [0050.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0050.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0050.885] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0050.885] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0050.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0050.885] lstrlenW (lpString="EventSystem") returned 11 [0050.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.885] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.885] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.885] lstrlenW (lpString="gpsvc") returned 5 [0050.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.885] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.885] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.885] lstrlenW (lpString="iphlpsvc") returned 8 [0050.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.885] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.885] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.885] lstrlenW (lpString="LanmanServer") returned 12 [0050.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.885] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.885] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.885] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.885] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.885] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.885] lstrlenW (lpString="lmhosts") returned 7 [0050.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.886] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.886] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.886] lstrlenW (lpString="MMCSS") returned 5 [0050.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0050.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0050.886] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0050.886] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0050.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0050.886] lstrlenW (lpString="MpsSvc") returned 6 [0050.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.886] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.886] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.886] lstrlenW (lpString="Netman") returned 6 [0050.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0050.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0050.886] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0050.886] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0050.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0050.886] lstrlenW (lpString="netprofm") returned 8 [0050.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.886] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.886] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.886] lstrlenW (lpString="NlaSvc") returned 6 [0050.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.886] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.886] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.886] lstrlenW (lpString="nsi") returned 3 [0050.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.887] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.887] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.887] lstrlenW (lpString="PcaSvc") returned 6 [0050.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.887] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.887] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.887] lstrlenW (lpString="PlugPlay") returned 8 [0050.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.887] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.887] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.887] lstrlenW (lpString="Power") returned 5 [0050.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.887] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.887] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.887] lstrlenW (lpString="ProfSvc") returned 7 [0050.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.887] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.887] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.887] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.887] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.887] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.887] lstrlenW (lpString="RpcSs") returned 5 [0050.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.888] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.888] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.888] lstrlenW (lpString="SamSs") returned 5 [0050.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.888] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.888] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.888] lstrlenW (lpString="Schedule") returned 8 [0050.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.888] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.888] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.888] lstrlenW (lpString="SENS") returned 4 [0050.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.888] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.888] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.888] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.888] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.888] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.888] lstrlenW (lpString="Spooler") returned 7 [0050.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.888] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.888] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.888] lstrlenW (lpString="swprv") returned 5 [0050.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0050.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0050.889] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0050.889] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0050.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0050.889] lstrlenW (lpString="SysMain") returned 7 [0050.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.889] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.889] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.889] lstrlenW (lpString="Themes") returned 6 [0050.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0050.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0050.889] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0050.889] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0050.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0050.889] lstrlenW (lpString="TrkWks") returned 6 [0050.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0050.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0050.889] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0050.889] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0050.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0050.889] lstrlenW (lpString="UxSms") returned 5 [0050.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0050.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0050.889] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0050.889] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0050.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0050.889] lstrlenW (lpString="VSS") returned 3 [0050.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0050.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0050.889] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0050.889] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0050.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0050.889] lstrlenW (lpString="WdiServiceHost") returned 14 [0050.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.889] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0050.890] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0050.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0050.890] lstrlenW (lpString="WdiSystemHost") returned 13 [0050.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.890] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0050.890] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0050.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0050.890] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0050.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.890] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0050.890] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0050.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0050.890] lstrlenW (lpString="Winmgmt") returned 7 [0050.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0050.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0050.890] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0050.890] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0050.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0050.890] lstrlenW (lpString="WPDBusEnum") returned 10 [0050.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.890] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0050.890] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0050.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0050.890] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3817128 | out: hHeap=0x500000) returned 1 [0050.890] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0050.894] Process32FirstW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.895] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0050.895] lstrlenW (lpString="System") returned 6 [0050.895] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0050.895] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0050.895] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0050.895] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0050.896] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0050.896] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0050.896] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0050.896] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0050.896] lstrlenW (lpString="smss.exe") returned 8 [0050.896] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0050.896] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0050.896] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0050.896] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0050.896] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0050.896] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0050.896] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0050.896] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.897] lstrlenW (lpString="csrss.exe") returned 9 [0050.897] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0050.897] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0050.897] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0050.897] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0050.897] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0050.897] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0050.897] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0050.897] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0050.898] lstrlenW (lpString="wininit.exe") returned 11 [0050.898] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0050.898] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0050.898] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0050.898] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.898] lstrlenW (lpString="csrss.exe") returned 9 [0050.898] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0050.899] lstrlenW (lpString="winlogon.exe") returned 12 [0050.899] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0050.899] lstrlenW (lpString="services.exe") returned 12 [0050.899] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0050.900] lstrlenW (lpString="lsass.exe") returned 9 [0050.900] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0050.900] lstrlenW (lpString="lsm.exe") returned 7 [0050.901] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.901] lstrlenW (lpString="svchost.exe") returned 11 [0050.901] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.902] lstrlenW (lpString="svchost.exe") returned 11 [0050.902] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.902] lstrlenW (lpString="svchost.exe") returned 11 [0050.902] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.903] lstrlenW (lpString="svchost.exe") returned 11 [0050.903] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.903] lstrlenW (lpString="svchost.exe") returned 11 [0050.904] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0050.904] lstrlenW (lpString="audiodg.exe") returned 11 [0050.904] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.905] lstrlenW (lpString="svchost.exe") returned 11 [0050.905] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.905] lstrlenW (lpString="svchost.exe") returned 11 [0050.905] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0050.906] lstrlenW (lpString="dwm.exe") returned 7 [0050.906] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0050.906] lstrlenW (lpString="explorer.exe") returned 12 [0050.906] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0050.907] lstrlenW (lpString="spoolsv.exe") returned 11 [0050.907] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.908] lstrlenW (lpString="svchost.exe") returned 11 [0050.908] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.909] lstrlenW (lpString="taskhost.exe") returned 12 [0050.909] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0050.910] lstrlenW (lpString="taskeng.exe") returned 11 [0050.910] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0050.910] lstrlenW (lpString="prime.exe") returned 9 [0050.910] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0050.911] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0050.911] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0050.912] lstrlenW (lpString="financing.exe") returned 13 [0050.912] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0050.912] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0050.913] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0050.913] lstrlenW (lpString="dg hit.exe") returned 10 [0050.913] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0050.914] lstrlenW (lpString="banners_drops.exe") returned 17 [0050.914] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0051.016] lstrlenW (lpString="vacuum.exe") returned 10 [0051.016] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0051.017] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0051.017] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0051.017] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0051.017] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0051.018] lstrlenW (lpString="holocauststored.exe") returned 19 [0051.018] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0051.018] lstrlenW (lpString="mini.exe") returned 8 [0051.018] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0051.019] lstrlenW (lpString="bi_tiny.exe") returned 11 [0051.019] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0051.020] lstrlenW (lpString="mall_drawn.exe") returned 14 [0051.020] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0051.020] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0051.020] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0051.021] lstrlenW (lpString="distributed.exe") returned 15 [0051.021] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0051.021] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0051.021] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0051.022] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0051.022] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0051.022] lstrlenW (lpString="3dftp.exe") returned 9 [0051.022] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0051.023] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0051.023] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0051.023] lstrlenW (lpString="alftp.exe") returned 9 [0051.024] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0051.024] lstrlenW (lpString="barca.exe") returned 9 [0051.024] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0051.024] lstrlenW (lpString="bitkinex.exe") returned 12 [0051.025] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0051.025] lstrlenW (lpString="coreftp.exe") returned 11 [0051.025] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0051.026] lstrlenW (lpString="far.exe") returned 7 [0051.026] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0051.026] lstrlenW (lpString="filezilla.exe") returned 13 [0051.026] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0051.027] lstrlenW (lpString="flashfxp.exe") returned 12 [0051.027] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0051.027] lstrlenW (lpString="fling.exe") returned 9 [0051.027] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0051.028] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0051.028] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0051.029] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0051.029] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0051.029] lstrlenW (lpString="icq.exe") returned 7 [0051.029] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0051.030] lstrlenW (lpString="leechftp.exe") returned 12 [0051.030] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0051.030] lstrlenW (lpString="ncftp.exe") returned 9 [0051.030] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0051.031] lstrlenW (lpString="notepad.exe") returned 11 [0051.031] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0051.031] lstrlenW (lpString="operamail.exe") returned 13 [0051.031] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0051.032] lstrlenW (lpString="pidgin.exe") returned 10 [0051.032] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0051.033] lstrlenW (lpString="scriptftp.exe") returned 13 [0051.033] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0051.034] lstrlenW (lpString="skype.exe") returned 9 [0051.034] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0051.035] lstrlenW (lpString="smartftp.exe") returned 12 [0051.035] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0051.036] lstrlenW (lpString="thunderbird.exe") returned 15 [0051.036] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0051.036] lstrlenW (lpString="totalcmd.exe") returned 12 [0051.036] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0051.037] lstrlenW (lpString="trillian.exe") returned 12 [0051.037] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0051.038] lstrlenW (lpString="webdrive.exe") returned 12 [0051.038] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0051.039] lstrlenW (lpString="whatsapp.exe") returned 12 [0051.039] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0051.040] lstrlenW (lpString="winscp.exe") returned 10 [0051.040] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0051.041] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0051.041] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0051.042] lstrlenW (lpString="active-charge.exe") returned 17 [0051.042] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0051.042] lstrlenW (lpString="accupos.exe") returned 11 [0051.043] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0051.043] lstrlenW (lpString="afr38.exe") returned 9 [0051.043] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0051.044] lstrlenW (lpString="aldelo.exe") returned 10 [0051.044] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0051.045] lstrlenW (lpString="ccv_server.exe") returned 14 [0051.045] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0051.046] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0051.046] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0051.047] lstrlenW (lpString="creditservice.exe") returned 17 [0051.047] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0051.047] lstrlenW (lpString="edcsvr.exe") returned 10 [0051.047] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0051.048] lstrlenW (lpString="fpos.exe") returned 8 [0051.048] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0051.049] lstrlenW (lpString="isspos.exe") returned 10 [0051.049] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0051.049] lstrlenW (lpString="mxslipstream.exe") returned 16 [0051.049] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0051.162] lstrlenW (lpString="omnipos.exe") returned 11 [0051.162] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0051.255] lstrlenW (lpString="spcwin.exe") returned 10 [0051.255] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0051.256] lstrlenW (lpString="spgagentservice.exe") returned 19 [0051.256] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0051.257] lstrlenW (lpString="utg2.exe") returned 8 [0051.257] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0051.257] lstrlenW (lpString="focuses.exe") returned 11 [0051.258] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0051.258] lstrlenW (lpString="fi fence.exe") returned 12 [0051.258] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0051.259] lstrlenW (lpString="knight.exe") returned 10 [0051.259] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0051.260] lstrlenW (lpString="library.exe") returned 11 [0051.260] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.261] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.261] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.262] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.262] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.263] lstrlenW (lpString="taskhost.exe") returned 12 [0051.263] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0051.264] lstrlenW (lpString="winhost.exe") returned 11 [0051.264] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.264] lstrlenW (lpString="cmd.exe") returned 7 [0051.264] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.265] lstrlenW (lpString="conhost.exe") returned 11 [0051.265] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0051.266] lstrlenW (lpString="vssadmin.exe") returned 12 [0051.266] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0051.267] lstrlenW (lpString="VSSVC.exe") returned 9 [0051.267] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.268] lstrlenW (lpString="svchost.exe") returned 11 [0051.268] Process32NextW (in: hSnapshot=0x19c, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0051.269] CloseHandle (hObject=0x19c) returned 1 [0051.269] Sleep (dwMilliseconds=0x1f4) [0051.981] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a28a0 [0051.981] EnumServicesStatusExW (in: hSCManager=0x5a28a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0051.982] GetLastError () returned 0xea [0051.982] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3817128 [0051.982] EnumServicesStatusExW (in: hSCManager=0x5a28a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3817128, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3817128, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0051.983] CloseServiceHandle (hSCObject=0x5a28a0) returned 1 [0051.983] lstrlenW (lpString="Appinfo") returned 7 [0051.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0051.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0051.983] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0051.983] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0051.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0051.983] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0051.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.983] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0051.983] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0051.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0051.983] lstrlenW (lpString="AudioSrv") returned 8 [0051.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0051.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0051.983] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0051.983] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0051.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0051.983] lstrlenW (lpString="BFE") returned 3 [0051.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0051.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0051.983] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0051.983] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0051.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0051.984] lstrlenW (lpString="CryptSvc") returned 8 [0051.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0051.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0051.984] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0051.984] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0051.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0051.984] lstrlenW (lpString="CscService") returned 10 [0051.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0051.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0051.984] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0051.984] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0051.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0051.984] lstrlenW (lpString="DcomLaunch") returned 10 [0051.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.984] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0051.984] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0051.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0051.984] lstrlenW (lpString="Dhcp") returned 4 [0051.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0051.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0051.984] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0051.984] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0051.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0051.984] lstrlenW (lpString="Dnscache") returned 8 [0051.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0051.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0051.984] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0051.984] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0051.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0051.984] lstrlenW (lpString="DPS") returned 3 [0051.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0051.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0051.984] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0051.984] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0051.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0051.985] lstrlenW (lpString="eventlog") returned 8 [0051.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0051.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0051.985] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0051.985] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0051.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0051.985] lstrlenW (lpString="EventSystem") returned 11 [0051.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0051.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0051.985] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0051.985] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0051.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0051.985] lstrlenW (lpString="gpsvc") returned 5 [0051.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0051.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0051.985] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0051.985] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0051.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0051.985] lstrlenW (lpString="iphlpsvc") returned 8 [0051.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.985] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0051.985] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0051.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0051.985] lstrlenW (lpString="LanmanServer") returned 12 [0051.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0051.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0051.985] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0051.985] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0051.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0051.985] lstrlenW (lpString="LanmanWorkstation") returned 17 [0051.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.985] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0051.986] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0051.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0051.986] lstrlenW (lpString="lmhosts") returned 7 [0051.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0051.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0051.986] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0051.986] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0051.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0051.986] lstrlenW (lpString="MMCSS") returned 5 [0051.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0051.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0051.986] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0051.986] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0051.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0051.986] lstrlenW (lpString="MpsSvc") returned 6 [0051.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0051.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0051.986] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0051.986] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0051.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0051.986] lstrlenW (lpString="Netman") returned 6 [0051.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0051.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0051.986] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0051.986] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0051.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0051.986] lstrlenW (lpString="netprofm") returned 8 [0051.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0051.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0051.986] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0051.986] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0051.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0051.987] lstrlenW (lpString="NlaSvc") returned 6 [0051.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0051.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0051.987] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0051.987] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0051.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0051.987] lstrlenW (lpString="nsi") returned 3 [0051.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0051.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0051.987] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0051.987] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0051.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0051.987] lstrlenW (lpString="PcaSvc") returned 6 [0051.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0051.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0051.987] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0051.987] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0051.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0051.987] lstrlenW (lpString="PlugPlay") returned 8 [0051.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0051.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0051.987] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0051.987] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0051.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0051.987] lstrlenW (lpString="Power") returned 5 [0051.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0051.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0051.987] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0051.987] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0051.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0051.987] lstrlenW (lpString="ProfSvc") returned 7 [0051.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0051.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0051.988] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0051.988] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0051.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0051.988] lstrlenW (lpString="RpcEptMapper") returned 12 [0051.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.988] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0051.988] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0051.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0051.988] lstrlenW (lpString="RpcSs") returned 5 [0051.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0051.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0051.988] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0051.988] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0051.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0051.988] lstrlenW (lpString="SamSs") returned 5 [0051.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0051.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0051.988] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0051.988] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0051.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0051.988] lstrlenW (lpString="Schedule") returned 8 [0051.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0051.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0051.988] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0051.988] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0051.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0051.988] lstrlenW (lpString="SENS") returned 4 [0051.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0051.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0051.988] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0051.988] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0051.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0051.988] lstrlenW (lpString="ShellHWDetection") returned 16 [0051.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.989] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0051.989] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0051.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0051.989] lstrlenW (lpString="Spooler") returned 7 [0051.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0051.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0051.989] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0051.989] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0051.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0051.989] lstrlenW (lpString="swprv") returned 5 [0051.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0051.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0051.989] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0051.989] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0051.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0051.989] lstrlenW (lpString="SysMain") returned 7 [0051.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0051.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0051.989] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0051.989] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0051.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0051.989] lstrlenW (lpString="Themes") returned 6 [0051.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0051.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0051.989] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0051.989] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0051.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0051.989] lstrlenW (lpString="TrkWks") returned 6 [0051.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0051.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0051.989] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0051.990] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0051.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0051.990] lstrlenW (lpString="UxSms") returned 5 [0051.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0051.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0051.990] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0051.990] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0051.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0051.990] lstrlenW (lpString="VSS") returned 3 [0051.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0051.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0051.990] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0051.990] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0051.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0051.990] lstrlenW (lpString="WdiServiceHost") returned 14 [0051.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.990] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0051.990] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0051.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0051.990] lstrlenW (lpString="WdiSystemHost") returned 13 [0051.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.990] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0051.990] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0051.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0051.990] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0051.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.990] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0051.990] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0051.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0051.990] lstrlenW (lpString="Winmgmt") returned 7 [0051.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0051.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0051.990] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0051.990] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0051.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0051.991] lstrlenW (lpString="WPDBusEnum") returned 10 [0051.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.991] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0051.991] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0051.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0051.991] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3817128 | out: hHeap=0x500000) returned 1 [0051.991] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x194 [0051.995] Process32FirstW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0051.996] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.996] lstrlenW (lpString="System") returned 6 [0051.996] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0051.996] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0051.996] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0051.996] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0051.996] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0051.996] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0051.996] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0051.996] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.997] lstrlenW (lpString="smss.exe") returned 8 [0051.997] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0051.997] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0051.997] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0051.997] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0051.997] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0051.997] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0051.997] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0051.997] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.997] lstrlenW (lpString="csrss.exe") returned 9 [0051.997] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0051.997] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0051.998] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0051.998] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0051.998] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0051.998] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0051.998] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0051.998] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.998] lstrlenW (lpString="wininit.exe") returned 11 [0051.998] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0051.998] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0051.998] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0051.998] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.999] lstrlenW (lpString="csrss.exe") returned 9 [0051.999] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.999] lstrlenW (lpString="winlogon.exe") returned 12 [0051.999] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0052.000] lstrlenW (lpString="services.exe") returned 12 [0052.000] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0052.001] lstrlenW (lpString="lsass.exe") returned 9 [0052.001] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0052.001] lstrlenW (lpString="lsm.exe") returned 7 [0052.001] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.002] lstrlenW (lpString="svchost.exe") returned 11 [0052.002] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.002] lstrlenW (lpString="svchost.exe") returned 11 [0052.002] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.003] lstrlenW (lpString="svchost.exe") returned 11 [0052.003] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.003] lstrlenW (lpString="svchost.exe") returned 11 [0052.003] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.004] lstrlenW (lpString="svchost.exe") returned 11 [0052.004] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0052.004] lstrlenW (lpString="audiodg.exe") returned 11 [0052.004] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.005] lstrlenW (lpString="svchost.exe") returned 11 [0052.005] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.005] lstrlenW (lpString="svchost.exe") returned 11 [0052.005] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0052.006] lstrlenW (lpString="dwm.exe") returned 7 [0052.006] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.007] lstrlenW (lpString="explorer.exe") returned 12 [0052.007] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.007] lstrlenW (lpString="spoolsv.exe") returned 11 [0052.007] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.008] lstrlenW (lpString="svchost.exe") returned 11 [0052.008] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.008] lstrlenW (lpString="taskhost.exe") returned 12 [0052.008] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0052.009] lstrlenW (lpString="taskeng.exe") returned 11 [0052.009] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0052.009] lstrlenW (lpString="prime.exe") returned 9 [0052.009] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0052.010] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0052.010] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0052.010] lstrlenW (lpString="financing.exe") returned 13 [0052.010] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0052.011] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0052.011] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0052.011] lstrlenW (lpString="dg hit.exe") returned 10 [0052.011] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0052.012] lstrlenW (lpString="banners_drops.exe") returned 17 [0052.012] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0052.012] lstrlenW (lpString="vacuum.exe") returned 10 [0052.012] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0052.013] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0052.013] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0052.013] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0052.013] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0052.014] lstrlenW (lpString="holocauststored.exe") returned 19 [0052.014] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0052.014] lstrlenW (lpString="mini.exe") returned 8 [0052.014] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0052.015] lstrlenW (lpString="bi_tiny.exe") returned 11 [0052.015] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0052.255] lstrlenW (lpString="mall_drawn.exe") returned 14 [0052.255] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0052.255] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0052.286] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0052.287] lstrlenW (lpString="distributed.exe") returned 15 [0052.287] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0052.288] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0052.288] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0052.288] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0052.288] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0052.289] lstrlenW (lpString="3dftp.exe") returned 9 [0052.289] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0052.289] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0052.289] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0052.290] lstrlenW (lpString="alftp.exe") returned 9 [0052.290] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0052.290] lstrlenW (lpString="barca.exe") returned 9 [0052.290] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0052.291] lstrlenW (lpString="bitkinex.exe") returned 12 [0052.291] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0052.291] lstrlenW (lpString="coreftp.exe") returned 11 [0052.291] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0052.292] lstrlenW (lpString="far.exe") returned 7 [0052.292] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0052.292] lstrlenW (lpString="filezilla.exe") returned 13 [0052.292] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0052.293] lstrlenW (lpString="flashfxp.exe") returned 12 [0052.293] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0052.293] lstrlenW (lpString="fling.exe") returned 9 [0052.293] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0052.294] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0052.294] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0052.295] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0052.295] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0052.295] lstrlenW (lpString="icq.exe") returned 7 [0052.295] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0052.296] lstrlenW (lpString="leechftp.exe") returned 12 [0052.296] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0052.296] lstrlenW (lpString="ncftp.exe") returned 9 [0052.296] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0052.297] lstrlenW (lpString="notepad.exe") returned 11 [0052.297] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0052.297] lstrlenW (lpString="operamail.exe") returned 13 [0052.297] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0052.298] lstrlenW (lpString="pidgin.exe") returned 10 [0052.298] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0052.299] lstrlenW (lpString="scriptftp.exe") returned 13 [0052.299] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0052.300] lstrlenW (lpString="skype.exe") returned 9 [0052.300] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0052.301] lstrlenW (lpString="smartftp.exe") returned 12 [0052.301] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0052.301] lstrlenW (lpString="thunderbird.exe") returned 15 [0052.301] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0052.302] lstrlenW (lpString="totalcmd.exe") returned 12 [0052.302] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0052.303] lstrlenW (lpString="trillian.exe") returned 12 [0052.303] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0052.304] lstrlenW (lpString="webdrive.exe") returned 12 [0052.304] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0052.305] lstrlenW (lpString="whatsapp.exe") returned 12 [0052.305] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0052.305] lstrlenW (lpString="winscp.exe") returned 10 [0052.305] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0052.306] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0052.306] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0052.307] lstrlenW (lpString="active-charge.exe") returned 17 [0052.307] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0052.308] lstrlenW (lpString="accupos.exe") returned 11 [0052.308] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0052.308] lstrlenW (lpString="afr38.exe") returned 9 [0052.308] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0052.309] lstrlenW (lpString="aldelo.exe") returned 10 [0052.309] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0052.310] lstrlenW (lpString="ccv_server.exe") returned 14 [0052.310] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0052.311] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0052.311] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0052.311] lstrlenW (lpString="creditservice.exe") returned 17 [0052.312] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0052.312] lstrlenW (lpString="edcsvr.exe") returned 10 [0052.312] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0052.313] lstrlenW (lpString="fpos.exe") returned 8 [0052.313] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0052.314] lstrlenW (lpString="isspos.exe") returned 10 [0052.314] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0052.314] lstrlenW (lpString="mxslipstream.exe") returned 16 [0052.314] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0052.315] lstrlenW (lpString="omnipos.exe") returned 11 [0052.315] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0052.318] lstrlenW (lpString="spcwin.exe") returned 10 [0052.318] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0052.540] lstrlenW (lpString="spgagentservice.exe") returned 19 [0052.549] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0052.553] lstrlenW (lpString="utg2.exe") returned 8 [0052.554] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0052.555] lstrlenW (lpString="focuses.exe") returned 11 [0052.555] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0052.555] lstrlenW (lpString="fi fence.exe") returned 12 [0052.555] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0052.556] lstrlenW (lpString="knight.exe") returned 10 [0052.556] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0052.557] lstrlenW (lpString="library.exe") returned 11 [0052.557] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.558] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.558] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.558] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.558] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.559] lstrlenW (lpString="taskhost.exe") returned 12 [0052.559] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0052.560] lstrlenW (lpString="winhost.exe") returned 11 [0052.560] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.560] lstrlenW (lpString="cmd.exe") returned 7 [0052.561] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.561] lstrlenW (lpString="conhost.exe") returned 11 [0052.562] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0052.562] lstrlenW (lpString="vssadmin.exe") returned 12 [0052.562] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0052.563] lstrlenW (lpString="VSSVC.exe") returned 9 [0052.563] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.591] lstrlenW (lpString="svchost.exe") returned 11 [0052.591] Process32NextW (in: hSnapshot=0x194, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.592] CloseHandle (hObject=0x194) returned 1 [0052.592] Sleep (dwMilliseconds=0x1f4) [0053.423] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3c40 [0053.595] EnumServicesStatusExW (in: hSCManager=0x5a3c40, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0053.627] GetLastError () returned 0xea [0053.627] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3f3f0a8 [0053.627] EnumServicesStatusExW (in: hSCManager=0x5a3c40, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f3f0a8, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f3f0a8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0053.662] CloseServiceHandle (hSCObject=0x5a3c40) returned 1 [0053.671] lstrlenW (lpString="Appinfo") returned 7 [0053.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.672] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.672] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.672] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.672] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.672] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.672] lstrlenW (lpString="AudioSrv") returned 8 [0053.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0053.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0053.672] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0053.672] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0053.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0053.672] lstrlenW (lpString="BFE") returned 3 [0053.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.672] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.672] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.672] lstrlenW (lpString="CryptSvc") returned 8 [0053.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.672] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.672] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.672] lstrlenW (lpString="CscService") returned 10 [0053.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0053.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0053.673] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0053.673] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0053.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0053.673] lstrlenW (lpString="DcomLaunch") returned 10 [0053.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.673] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.673] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.673] lstrlenW (lpString="Dhcp") returned 4 [0053.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.673] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.673] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.673] lstrlenW (lpString="Dnscache") returned 8 [0053.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.673] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.673] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.673] lstrlenW (lpString="DPS") returned 3 [0053.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.673] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.673] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.673] lstrlenW (lpString="eventlog") returned 8 [0053.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0053.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0053.673] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0053.673] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0053.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0053.674] lstrlenW (lpString="EventSystem") returned 11 [0053.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.674] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.674] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.674] lstrlenW (lpString="gpsvc") returned 5 [0053.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.674] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.674] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.674] lstrlenW (lpString="iphlpsvc") returned 8 [0053.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.674] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.674] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.674] lstrlenW (lpString="LanmanServer") returned 12 [0053.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.674] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.674] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.674] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.674] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.674] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.674] lstrlenW (lpString="lmhosts") returned 7 [0053.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.675] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.675] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.675] lstrlenW (lpString="MMCSS") returned 5 [0053.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0053.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0053.675] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0053.675] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0053.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0053.675] lstrlenW (lpString="MpsSvc") returned 6 [0053.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.675] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.675] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.675] lstrlenW (lpString="Netman") returned 6 [0053.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0053.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0053.675] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0053.675] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0053.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0053.675] lstrlenW (lpString="netprofm") returned 8 [0053.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.675] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.675] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.675] lstrlenW (lpString="NlaSvc") returned 6 [0053.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.676] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.676] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.676] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.676] lstrlenW (lpString="nsi") returned 3 [0053.676] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.676] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.676] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.676] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.676] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.676] lstrlenW (lpString="PcaSvc") returned 6 [0053.676] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.676] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.676] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.676] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.676] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.676] lstrlenW (lpString="PlugPlay") returned 8 [0053.676] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.676] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.676] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.676] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.676] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.676] lstrlenW (lpString="Power") returned 5 [0053.676] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.676] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.676] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.676] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.676] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.677] lstrlenW (lpString="ProfSvc") returned 7 [0053.677] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.677] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.677] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.677] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.677] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.677] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.677] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.677] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.677] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.677] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.677] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.677] lstrlenW (lpString="RpcSs") returned 5 [0053.677] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.677] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.677] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.677] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.677] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.677] lstrlenW (lpString="SamSs") returned 5 [0053.677] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.677] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.677] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.677] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.677] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.677] lstrlenW (lpString="Schedule") returned 8 [0053.677] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.677] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.677] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.677] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.677] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.677] lstrlenW (lpString="SENS") returned 4 [0053.677] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.678] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.678] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.678] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.678] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.678] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.678] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.678] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.678] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.678] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.678] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.678] lstrlenW (lpString="Spooler") returned 7 [0053.678] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.678] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.678] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.678] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.678] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.678] lstrlenW (lpString="swprv") returned 5 [0053.678] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0053.678] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0053.678] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0053.678] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0053.678] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0053.678] lstrlenW (lpString="SysMain") returned 7 [0053.678] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.678] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.678] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.678] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.678] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.678] lstrlenW (lpString="Themes") returned 6 [0053.678] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0053.678] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0053.678] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0053.679] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0053.679] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0053.679] lstrlenW (lpString="TrkWks") returned 6 [0053.679] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0053.679] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0053.679] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0053.679] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0053.679] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0053.679] lstrlenW (lpString="UxSms") returned 5 [0053.679] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0053.679] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0053.679] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0053.679] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0053.679] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0053.679] lstrlenW (lpString="VSS") returned 3 [0053.679] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0053.679] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0053.679] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0053.679] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0053.679] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0053.679] lstrlenW (lpString="WdiServiceHost") returned 14 [0053.679] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.679] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.679] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0053.679] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0053.679] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0053.679] lstrlenW (lpString="WdiSystemHost") returned 13 [0053.679] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.679] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.679] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0053.679] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0053.679] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0053.679] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0053.679] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.680] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.680] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0053.680] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0053.680] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0053.680] lstrlenW (lpString="Winmgmt") returned 7 [0053.680] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0053.680] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0053.680] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0053.680] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0053.680] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0053.680] lstrlenW (lpString="WPDBusEnum") returned 10 [0053.680] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.680] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.680] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0053.680] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0053.680] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0053.680] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f3f0a8 | out: hHeap=0x500000) returned 1 [0053.680] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x228 [0053.684] Process32FirstW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.685] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.685] lstrlenW (lpString="System") returned 6 [0053.685] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0053.685] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0053.685] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0053.685] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0053.686] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0053.686] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0053.686] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0053.686] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.687] lstrlenW (lpString="smss.exe") returned 8 [0053.687] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0053.687] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0053.687] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0053.687] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0053.687] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0053.687] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0053.687] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0053.687] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.687] lstrlenW (lpString="csrss.exe") returned 9 [0053.687] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0053.687] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0053.687] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0053.687] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0053.687] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0053.688] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0053.688] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0053.688] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.688] lstrlenW (lpString="wininit.exe") returned 11 [0053.688] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0053.688] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0053.688] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0053.688] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.689] lstrlenW (lpString="csrss.exe") returned 9 [0053.689] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.689] lstrlenW (lpString="winlogon.exe") returned 12 [0053.689] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.690] lstrlenW (lpString="services.exe") returned 12 [0053.690] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.691] lstrlenW (lpString="lsass.exe") returned 9 [0053.691] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0053.691] lstrlenW (lpString="lsm.exe") returned 7 [0053.691] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.692] lstrlenW (lpString="svchost.exe") returned 11 [0053.692] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.692] lstrlenW (lpString="svchost.exe") returned 11 [0053.692] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.693] lstrlenW (lpString="svchost.exe") returned 11 [0053.693] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.693] lstrlenW (lpString="svchost.exe") returned 11 [0053.693] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.694] lstrlenW (lpString="svchost.exe") returned 11 [0053.694] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.694] lstrlenW (lpString="audiodg.exe") returned 11 [0053.694] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.695] lstrlenW (lpString="svchost.exe") returned 11 [0053.695] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.695] lstrlenW (lpString="svchost.exe") returned 11 [0053.695] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.696] lstrlenW (lpString="dwm.exe") returned 7 [0053.696] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.696] lstrlenW (lpString="explorer.exe") returned 12 [0053.696] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.697] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.697] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.697] lstrlenW (lpString="svchost.exe") returned 11 [0053.697] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.698] lstrlenW (lpString="taskhost.exe") returned 12 [0053.698] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0053.699] lstrlenW (lpString="taskeng.exe") returned 11 [0053.699] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0053.699] lstrlenW (lpString="prime.exe") returned 9 [0053.699] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0053.700] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0053.700] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0053.701] lstrlenW (lpString="financing.exe") returned 13 [0053.701] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0053.701] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0053.701] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0054.563] lstrlenW (lpString="dg hit.exe") returned 10 [0054.563] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0054.564] lstrlenW (lpString="banners_drops.exe") returned 17 [0054.564] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0054.565] lstrlenW (lpString="vacuum.exe") returned 10 [0054.565] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0054.565] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0054.565] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0054.566] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0054.566] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0054.567] lstrlenW (lpString="holocauststored.exe") returned 19 [0054.567] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0054.568] lstrlenW (lpString="mini.exe") returned 8 [0054.568] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0054.568] lstrlenW (lpString="bi_tiny.exe") returned 11 [0054.568] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0054.569] lstrlenW (lpString="mall_drawn.exe") returned 14 [0054.569] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0054.643] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0054.643] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0054.643] lstrlenW (lpString="distributed.exe") returned 15 [0054.644] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0054.644] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0054.644] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0054.645] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0054.645] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0054.645] lstrlenW (lpString="3dftp.exe") returned 9 [0054.645] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0054.646] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0054.646] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0054.646] lstrlenW (lpString="alftp.exe") returned 9 [0054.646] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0054.647] lstrlenW (lpString="barca.exe") returned 9 [0054.647] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0054.648] lstrlenW (lpString="bitkinex.exe") returned 12 [0054.648] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0054.648] lstrlenW (lpString="coreftp.exe") returned 11 [0054.648] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0054.764] lstrlenW (lpString="far.exe") returned 7 [0054.764] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0054.765] lstrlenW (lpString="filezilla.exe") returned 13 [0054.765] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0054.766] lstrlenW (lpString="flashfxp.exe") returned 12 [0054.766] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0054.767] lstrlenW (lpString="fling.exe") returned 9 [0054.769] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0054.773] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0054.773] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0054.779] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0054.779] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0054.780] lstrlenW (lpString="icq.exe") returned 7 [0054.780] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0054.781] lstrlenW (lpString="leechftp.exe") returned 12 [0054.781] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0054.781] lstrlenW (lpString="ncftp.exe") returned 9 [0054.782] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0054.782] lstrlenW (lpString="notepad.exe") returned 11 [0054.782] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0054.783] lstrlenW (lpString="operamail.exe") returned 13 [0054.783] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0054.784] lstrlenW (lpString="pidgin.exe") returned 10 [0054.784] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0054.785] lstrlenW (lpString="scriptftp.exe") returned 13 [0054.785] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0054.786] lstrlenW (lpString="skype.exe") returned 9 [0054.786] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0054.787] lstrlenW (lpString="smartftp.exe") returned 12 [0054.787] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0054.788] lstrlenW (lpString="thunderbird.exe") returned 15 [0054.788] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0054.789] lstrlenW (lpString="totalcmd.exe") returned 12 [0054.789] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0054.790] lstrlenW (lpString="trillian.exe") returned 12 [0054.790] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0054.791] lstrlenW (lpString="webdrive.exe") returned 12 [0054.791] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0054.792] lstrlenW (lpString="whatsapp.exe") returned 12 [0054.792] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0054.793] lstrlenW (lpString="winscp.exe") returned 10 [0054.793] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0054.957] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0054.957] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0054.958] lstrlenW (lpString="active-charge.exe") returned 17 [0054.958] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0054.959] lstrlenW (lpString="accupos.exe") returned 11 [0054.959] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0054.960] lstrlenW (lpString="afr38.exe") returned 9 [0054.960] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0054.961] lstrlenW (lpString="aldelo.exe") returned 10 [0054.961] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0054.962] lstrlenW (lpString="ccv_server.exe") returned 14 [0054.962] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0054.963] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0054.963] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0054.964] lstrlenW (lpString="creditservice.exe") returned 17 [0054.964] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0054.965] lstrlenW (lpString="edcsvr.exe") returned 10 [0054.965] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0054.966] lstrlenW (lpString="fpos.exe") returned 8 [0054.966] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0054.967] lstrlenW (lpString="isspos.exe") returned 10 [0054.967] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0054.968] lstrlenW (lpString="mxslipstream.exe") returned 16 [0054.968] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0054.969] lstrlenW (lpString="omnipos.exe") returned 11 [0054.969] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0054.970] lstrlenW (lpString="spcwin.exe") returned 10 [0054.970] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0054.971] lstrlenW (lpString="spgagentservice.exe") returned 19 [0054.971] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0054.972] lstrlenW (lpString="utg2.exe") returned 8 [0054.972] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0054.973] lstrlenW (lpString="focuses.exe") returned 11 [0054.973] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0054.974] lstrlenW (lpString="fi fence.exe") returned 12 [0054.974] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0054.974] lstrlenW (lpString="knight.exe") returned 10 [0054.974] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0054.975] lstrlenW (lpString="library.exe") returned 11 [0054.975] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.976] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.976] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.977] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.977] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.978] lstrlenW (lpString="taskhost.exe") returned 12 [0054.978] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0054.979] lstrlenW (lpString="winhost.exe") returned 11 [0054.979] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.979] lstrlenW (lpString="cmd.exe") returned 7 [0054.979] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.980] lstrlenW (lpString="conhost.exe") returned 11 [0054.980] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0054.981] lstrlenW (lpString="vssadmin.exe") returned 12 [0054.981] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0054.982] lstrlenW (lpString="VSSVC.exe") returned 9 [0054.982] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.983] lstrlenW (lpString="svchost.exe") returned 11 [0054.983] Process32NextW (in: hSnapshot=0x228, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0054.983] CloseHandle (hObject=0x228) returned 1 [0054.983] Sleep (dwMilliseconds=0x1f4) [0055.546] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3ad8 [0055.546] EnumServicesStatusExW (in: hSCManager=0x5a3ad8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0055.546] GetLastError () returned 0xea [0055.547] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3fc60d8 [0055.547] EnumServicesStatusExW (in: hSCManager=0x5a3ad8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3fc60d8, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3fc60d8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0055.551] CloseServiceHandle (hSCObject=0x5a3ad8) returned 1 [0055.551] lstrlenW (lpString="Appinfo") returned 7 [0055.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0055.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0055.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0055.551] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0055.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0055.551] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0055.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.551] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0055.551] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0055.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0055.551] lstrlenW (lpString="AudioSrv") returned 8 [0055.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0055.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0055.551] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0055.551] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0055.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0055.551] lstrlenW (lpString="BFE") returned 3 [0055.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0055.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0055.552] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0055.552] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0055.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0055.552] lstrlenW (lpString="CryptSvc") returned 8 [0055.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0055.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0055.552] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0055.552] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0055.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0055.552] lstrlenW (lpString="CscService") returned 10 [0055.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0055.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0055.552] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0055.552] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0055.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0055.552] lstrlenW (lpString="DcomLaunch") returned 10 [0055.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.552] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0055.552] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0055.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0055.552] lstrlenW (lpString="Dhcp") returned 4 [0055.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0055.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0055.552] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0055.552] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0055.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0055.553] lstrlenW (lpString="Dnscache") returned 8 [0055.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0055.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0055.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0055.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0055.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0055.553] lstrlenW (lpString="DPS") returned 3 [0055.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0055.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0055.553] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0055.553] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0055.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0055.553] lstrlenW (lpString="eventlog") returned 8 [0055.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0055.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0055.553] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0055.553] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0055.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0055.553] lstrlenW (lpString="EventSystem") returned 11 [0055.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0055.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0055.553] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0055.553] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0055.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0055.553] lstrlenW (lpString="gpsvc") returned 5 [0055.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0055.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0055.554] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0055.554] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0055.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0055.554] lstrlenW (lpString="iphlpsvc") returned 8 [0055.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.554] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0055.554] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0055.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0055.554] lstrlenW (lpString="LanmanServer") returned 12 [0055.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0055.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0055.554] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0055.554] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0055.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0055.554] lstrlenW (lpString="LanmanWorkstation") returned 17 [0055.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.554] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0055.554] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0055.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0055.554] lstrlenW (lpString="lmhosts") returned 7 [0055.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0055.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0055.554] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0055.554] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0055.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0055.554] lstrlenW (lpString="MMCSS") returned 5 [0055.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0055.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0055.555] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0055.555] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0055.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0055.555] lstrlenW (lpString="MpsSvc") returned 6 [0055.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0055.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0055.555] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0055.555] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0055.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0055.555] lstrlenW (lpString="Netman") returned 6 [0055.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0055.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0055.555] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0055.555] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0055.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0055.555] lstrlenW (lpString="netprofm") returned 8 [0055.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0055.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0055.555] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0055.555] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0055.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0055.555] lstrlenW (lpString="NlaSvc") returned 6 [0055.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0055.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0055.555] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0055.556] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0055.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0055.556] lstrlenW (lpString="nsi") returned 3 [0055.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0055.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0055.556] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0055.556] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0055.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0055.556] lstrlenW (lpString="PcaSvc") returned 6 [0055.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0055.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0055.556] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0055.556] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0055.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0055.556] lstrlenW (lpString="PlugPlay") returned 8 [0055.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0055.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0055.556] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0055.556] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0055.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0055.556] lstrlenW (lpString="Power") returned 5 [0055.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0055.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0055.556] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0055.556] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0055.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0055.556] lstrlenW (lpString="ProfSvc") returned 7 [0055.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0055.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0055.557] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0055.557] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0055.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0055.557] lstrlenW (lpString="RpcEptMapper") returned 12 [0055.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.557] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0055.557] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0055.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0055.557] lstrlenW (lpString="RpcSs") returned 5 [0055.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0055.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0055.557] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0055.557] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0055.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0055.557] lstrlenW (lpString="SamSs") returned 5 [0055.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0055.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0055.557] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0055.557] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0055.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0055.557] lstrlenW (lpString="Schedule") returned 8 [0055.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0055.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0055.557] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0055.557] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0055.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0055.558] lstrlenW (lpString="SENS") returned 4 [0055.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0055.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0055.558] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0055.558] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0055.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0055.558] lstrlenW (lpString="ShellHWDetection") returned 16 [0055.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.558] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0055.558] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0055.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0055.558] lstrlenW (lpString="Spooler") returned 7 [0055.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0055.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0055.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0055.559] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0055.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0055.560] lstrlenW (lpString="swprv") returned 5 [0055.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0055.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0055.560] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0055.560] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0055.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0055.560] lstrlenW (lpString="SysMain") returned 7 [0055.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0055.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0055.560] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0055.560] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0055.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0055.560] lstrlenW (lpString="Themes") returned 6 [0055.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0055.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0055.560] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0055.560] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0055.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0055.560] lstrlenW (lpString="TrkWks") returned 6 [0055.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0055.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0055.560] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0055.560] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0055.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0055.560] lstrlenW (lpString="UxSms") returned 5 [0055.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0055.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0055.561] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0055.561] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0055.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0055.561] lstrlenW (lpString="VSS") returned 3 [0055.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0055.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0055.561] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0055.561] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0055.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0055.561] lstrlenW (lpString="WdiServiceHost") returned 14 [0055.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.561] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0055.561] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0055.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0055.561] lstrlenW (lpString="WdiSystemHost") returned 13 [0055.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.561] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0055.561] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0055.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0055.561] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0055.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.561] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0055.561] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0055.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0055.561] lstrlenW (lpString="Winmgmt") returned 7 [0055.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0055.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0055.562] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0055.562] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0055.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0055.562] lstrlenW (lpString="WPDBusEnum") returned 10 [0055.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.562] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0055.562] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0055.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0055.562] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fc60d8 | out: hHeap=0x500000) returned 1 [0055.562] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x218 [0055.567] Process32FirstW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.568] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.568] lstrlenW (lpString="System") returned 6 [0055.568] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0055.568] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0055.568] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0055.568] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0055.568] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0055.568] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0055.568] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0055.568] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.569] lstrlenW (lpString="smss.exe") returned 8 [0055.569] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0055.569] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0055.569] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0055.569] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0055.569] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0055.569] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0055.569] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0055.570] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.570] lstrlenW (lpString="csrss.exe") returned 9 [0055.570] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0055.570] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0055.570] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0055.570] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0055.570] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0055.570] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0055.570] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0055.570] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.571] lstrlenW (lpString="wininit.exe") returned 11 [0055.571] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0055.571] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0055.571] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0055.571] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.572] lstrlenW (lpString="csrss.exe") returned 9 [0055.572] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.573] lstrlenW (lpString="winlogon.exe") returned 12 [0055.573] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.573] lstrlenW (lpString="services.exe") returned 12 [0055.573] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.575] lstrlenW (lpString="lsass.exe") returned 9 [0055.575] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0055.575] lstrlenW (lpString="lsm.exe") returned 7 [0055.575] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.576] lstrlenW (lpString="svchost.exe") returned 11 [0055.576] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.576] lstrlenW (lpString="svchost.exe") returned 11 [0055.577] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.577] lstrlenW (lpString="svchost.exe") returned 11 [0055.577] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.578] lstrlenW (lpString="svchost.exe") returned 11 [0055.578] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.578] lstrlenW (lpString="svchost.exe") returned 11 [0055.578] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.579] lstrlenW (lpString="audiodg.exe") returned 11 [0055.579] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.579] lstrlenW (lpString="svchost.exe") returned 11 [0055.579] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.580] lstrlenW (lpString="svchost.exe") returned 11 [0055.580] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.580] lstrlenW (lpString="dwm.exe") returned 7 [0055.580] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.581] lstrlenW (lpString="explorer.exe") returned 12 [0055.581] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.581] lstrlenW (lpString="spoolsv.exe") returned 11 [0055.581] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.582] lstrlenW (lpString="svchost.exe") returned 11 [0055.582] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.582] lstrlenW (lpString="taskhost.exe") returned 12 [0055.583] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0055.583] lstrlenW (lpString="taskeng.exe") returned 11 [0055.583] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0055.876] lstrlenW (lpString="prime.exe") returned 9 [0055.876] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0055.877] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0055.877] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0055.877] lstrlenW (lpString="financing.exe") returned 13 [0055.877] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0055.878] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0055.878] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0055.878] lstrlenW (lpString="dg hit.exe") returned 10 [0055.878] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0055.879] lstrlenW (lpString="banners_drops.exe") returned 17 [0055.879] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0055.879] lstrlenW (lpString="vacuum.exe") returned 10 [0055.879] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0055.880] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0055.880] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0055.880] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0055.880] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0055.881] lstrlenW (lpString="holocauststored.exe") returned 19 [0055.881] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0055.881] lstrlenW (lpString="mini.exe") returned 8 [0055.881] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0055.882] lstrlenW (lpString="bi_tiny.exe") returned 11 [0055.882] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0055.882] lstrlenW (lpString="mall_drawn.exe") returned 14 [0055.883] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0055.883] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0055.883] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0055.884] lstrlenW (lpString="distributed.exe") returned 15 [0055.884] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0055.884] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0055.885] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0055.885] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0055.885] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0055.886] lstrlenW (lpString="3dftp.exe") returned 9 [0055.886] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0055.887] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0055.887] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0055.887] lstrlenW (lpString="alftp.exe") returned 9 [0055.887] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0055.888] lstrlenW (lpString="barca.exe") returned 9 [0055.888] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0055.888] lstrlenW (lpString="bitkinex.exe") returned 12 [0055.888] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0055.889] lstrlenW (lpString="coreftp.exe") returned 11 [0055.889] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0055.889] lstrlenW (lpString="far.exe") returned 7 [0055.889] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0055.890] lstrlenW (lpString="filezilla.exe") returned 13 [0055.890] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0055.890] lstrlenW (lpString="flashfxp.exe") returned 12 [0055.890] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0055.891] lstrlenW (lpString="fling.exe") returned 9 [0055.891] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0055.891] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0055.892] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0055.892] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0055.892] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0055.893] lstrlenW (lpString="icq.exe") returned 7 [0055.893] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0055.893] lstrlenW (lpString="leechftp.exe") returned 12 [0055.893] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0055.894] lstrlenW (lpString="ncftp.exe") returned 9 [0055.894] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0055.894] lstrlenW (lpString="notepad.exe") returned 11 [0055.894] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0055.895] lstrlenW (lpString="operamail.exe") returned 13 [0055.895] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0055.896] lstrlenW (lpString="pidgin.exe") returned 10 [0055.896] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0055.896] lstrlenW (lpString="scriptftp.exe") returned 13 [0055.897] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0055.897] lstrlenW (lpString="skype.exe") returned 9 [0055.897] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0055.898] lstrlenW (lpString="smartftp.exe") returned 12 [0055.898] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0055.899] lstrlenW (lpString="thunderbird.exe") returned 15 [0055.899] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0055.900] lstrlenW (lpString="totalcmd.exe") returned 12 [0055.900] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0055.901] lstrlenW (lpString="trillian.exe") returned 12 [0055.901] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0055.902] lstrlenW (lpString="webdrive.exe") returned 12 [0055.902] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0055.903] lstrlenW (lpString="whatsapp.exe") returned 12 [0055.903] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0055.904] lstrlenW (lpString="winscp.exe") returned 10 [0055.904] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0055.905] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0055.905] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0055.906] lstrlenW (lpString="active-charge.exe") returned 17 [0055.906] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0055.906] lstrlenW (lpString="accupos.exe") returned 11 [0055.906] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0055.907] lstrlenW (lpString="afr38.exe") returned 9 [0055.907] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0055.908] lstrlenW (lpString="aldelo.exe") returned 10 [0055.908] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0055.909] lstrlenW (lpString="ccv_server.exe") returned 14 [0055.909] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0055.910] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0055.910] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0055.968] lstrlenW (lpString="creditservice.exe") returned 17 [0055.968] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0056.028] lstrlenW (lpString="edcsvr.exe") returned 10 [0056.029] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0056.030] lstrlenW (lpString="fpos.exe") returned 8 [0056.030] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0056.030] lstrlenW (lpString="isspos.exe") returned 10 [0056.031] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0056.031] lstrlenW (lpString="mxslipstream.exe") returned 16 [0056.032] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0056.032] lstrlenW (lpString="omnipos.exe") returned 11 [0056.033] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0056.033] lstrlenW (lpString="spcwin.exe") returned 10 [0056.033] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0056.034] lstrlenW (lpString="spgagentservice.exe") returned 19 [0056.034] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0056.035] lstrlenW (lpString="utg2.exe") returned 8 [0056.035] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0056.036] lstrlenW (lpString="focuses.exe") returned 11 [0056.036] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0056.037] lstrlenW (lpString="fi fence.exe") returned 12 [0056.037] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0056.038] lstrlenW (lpString="knight.exe") returned 10 [0056.038] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0056.039] lstrlenW (lpString="library.exe") returned 11 [0056.039] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.040] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.040] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.041] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.041] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.042] lstrlenW (lpString="taskhost.exe") returned 12 [0056.042] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0056.043] lstrlenW (lpString="winhost.exe") returned 11 [0056.043] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.044] lstrlenW (lpString="cmd.exe") returned 7 [0056.044] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.045] lstrlenW (lpString="conhost.exe") returned 11 [0056.045] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0056.046] lstrlenW (lpString="vssadmin.exe") returned 12 [0056.046] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0056.047] lstrlenW (lpString="VSSVC.exe") returned 9 [0056.047] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.048] lstrlenW (lpString="svchost.exe") returned 11 [0056.048] Process32NextW (in: hSnapshot=0x218, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0056.048] CloseHandle (hObject=0x218) returned 1 [0056.048] Sleep (dwMilliseconds=0x1f4) [0056.684] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3b00 [0056.684] EnumServicesStatusExW (in: hSCManager=0x5a3b00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0056.684] GetLastError () returned 0xea [0056.685] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3f3f0a8 [0056.685] EnumServicesStatusExW (in: hSCManager=0x5a3b00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f3f0a8, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f3f0a8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0056.686] CloseServiceHandle (hSCObject=0x5a3b00) returned 1 [0056.686] lstrlenW (lpString="Appinfo") returned 7 [0056.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0056.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0056.690] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0056.690] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0056.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0056.690] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0056.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.690] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0056.690] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0056.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0056.690] lstrlenW (lpString="AudioSrv") returned 8 [0056.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0056.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0056.690] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0056.690] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0056.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0056.690] lstrlenW (lpString="BFE") returned 3 [0056.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0056.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0056.691] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0056.691] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0056.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0056.691] lstrlenW (lpString="CryptSvc") returned 8 [0056.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0056.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0056.691] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0056.691] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0056.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0056.691] lstrlenW (lpString="CscService") returned 10 [0056.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0056.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0056.691] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0056.691] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0056.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0056.692] lstrlenW (lpString="DcomLaunch") returned 10 [0056.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.692] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0056.692] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0056.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0056.692] lstrlenW (lpString="Dhcp") returned 4 [0056.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0056.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0056.692] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0056.693] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0056.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0056.693] lstrlenW (lpString="Dnscache") returned 8 [0056.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0056.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0056.693] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0056.693] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0056.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0056.693] lstrlenW (lpString="DPS") returned 3 [0056.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0056.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0056.693] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0056.693] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0056.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0056.693] lstrlenW (lpString="eventlog") returned 8 [0056.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0056.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0056.693] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0056.693] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0056.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0056.693] lstrlenW (lpString="EventSystem") returned 11 [0056.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0056.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0056.693] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0056.693] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0056.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0056.693] lstrlenW (lpString="gpsvc") returned 5 [0056.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0056.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0056.693] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0056.693] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0056.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0056.694] lstrlenW (lpString="iphlpsvc") returned 8 [0056.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.694] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0056.694] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0056.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0056.694] lstrlenW (lpString="LanmanServer") returned 12 [0056.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0056.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0056.694] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0056.694] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0056.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0056.694] lstrlenW (lpString="LanmanWorkstation") returned 17 [0056.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.694] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0056.694] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0056.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0056.694] lstrlenW (lpString="lmhosts") returned 7 [0056.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0056.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0056.694] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0056.694] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0056.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0056.694] lstrlenW (lpString="MMCSS") returned 5 [0056.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0056.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0056.694] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0056.694] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0056.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0056.694] lstrlenW (lpString="MpsSvc") returned 6 [0056.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0056.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0056.695] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0056.695] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0056.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0056.695] lstrlenW (lpString="Netman") returned 6 [0056.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0056.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0056.695] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0056.695] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0056.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0056.695] lstrlenW (lpString="netprofm") returned 8 [0056.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0056.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0056.695] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0056.695] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0056.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0056.695] lstrlenW (lpString="NlaSvc") returned 6 [0056.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0056.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0056.695] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0056.695] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0056.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0056.695] lstrlenW (lpString="nsi") returned 3 [0056.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0056.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0056.695] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0056.695] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0056.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0056.695] lstrlenW (lpString="PcaSvc") returned 6 [0056.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0056.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0056.695] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0056.695] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0056.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0056.696] lstrlenW (lpString="PlugPlay") returned 8 [0056.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0056.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0056.696] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0056.696] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0056.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0056.696] lstrlenW (lpString="Power") returned 5 [0056.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0056.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0056.696] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0056.696] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0056.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0056.696] lstrlenW (lpString="ProfSvc") returned 7 [0056.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0056.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0056.696] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0056.696] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0056.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0056.696] lstrlenW (lpString="RpcEptMapper") returned 12 [0056.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.696] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0056.696] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0056.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0056.696] lstrlenW (lpString="RpcSs") returned 5 [0056.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0056.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0056.696] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0056.696] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0056.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0056.697] lstrlenW (lpString="SamSs") returned 5 [0056.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0056.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0056.697] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0056.697] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0056.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0056.697] lstrlenW (lpString="Schedule") returned 8 [0056.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0056.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0056.697] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0056.697] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0056.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0056.697] lstrlenW (lpString="SENS") returned 4 [0056.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0056.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0056.697] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0056.697] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0056.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0056.697] lstrlenW (lpString="ShellHWDetection") returned 16 [0056.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.697] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0056.697] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0056.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0056.697] lstrlenW (lpString="Spooler") returned 7 [0056.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0056.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0056.698] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0056.698] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0056.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0056.698] lstrlenW (lpString="swprv") returned 5 [0056.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0056.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0056.698] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0056.698] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0056.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0056.698] lstrlenW (lpString="SysMain") returned 7 [0056.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0056.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0056.698] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0056.698] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0056.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0056.699] lstrlenW (lpString="Themes") returned 6 [0056.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0056.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0056.699] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0056.699] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0056.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0056.699] lstrlenW (lpString="TrkWks") returned 6 [0056.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0056.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0056.699] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0056.699] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0056.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0056.702] lstrlenW (lpString="UxSms") returned 5 [0056.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0056.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0056.702] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0056.702] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0056.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0056.702] lstrlenW (lpString="VSS") returned 3 [0056.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0056.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0056.702] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0056.703] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0056.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0056.703] lstrlenW (lpString="WdiServiceHost") returned 14 [0056.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.703] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0056.703] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0056.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0056.703] lstrlenW (lpString="WdiSystemHost") returned 13 [0056.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.705] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0056.705] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0056.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0056.705] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0056.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.712] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0056.712] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0056.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0056.712] lstrlenW (lpString="Winmgmt") returned 7 [0056.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0056.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0056.714] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0056.714] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0056.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0056.714] lstrlenW (lpString="WPDBusEnum") returned 10 [0056.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.727] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0056.727] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0056.727] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0056.727] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f3f0a8 | out: hHeap=0x500000) returned 1 [0056.751] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0056.777] Process32FirstW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.779] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.780] lstrlenW (lpString="System") returned 6 [0056.780] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0056.781] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0056.781] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0056.781] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0056.781] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0056.781] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0056.781] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0056.781] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.785] lstrlenW (lpString="smss.exe") returned 8 [0056.786] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0056.786] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0056.786] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0056.786] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0056.786] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0056.792] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0056.792] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0056.792] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.795] lstrlenW (lpString="csrss.exe") returned 9 [0056.795] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0056.795] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0056.795] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0056.797] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0056.797] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0056.797] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0056.797] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0056.800] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.805] lstrlenW (lpString="wininit.exe") returned 11 [0056.805] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0056.806] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0056.806] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0056.807] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.810] lstrlenW (lpString="csrss.exe") returned 9 [0056.810] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0057.670] lstrlenW (lpString="winlogon.exe") returned 12 [0057.670] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0057.671] lstrlenW (lpString="services.exe") returned 12 [0057.671] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0057.672] lstrlenW (lpString="lsass.exe") returned 9 [0057.672] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0057.672] lstrlenW (lpString="lsm.exe") returned 7 [0057.672] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.673] lstrlenW (lpString="svchost.exe") returned 11 [0057.673] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.673] lstrlenW (lpString="svchost.exe") returned 11 [0057.673] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.674] lstrlenW (lpString="svchost.exe") returned 11 [0057.674] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.675] lstrlenW (lpString="svchost.exe") returned 11 [0057.675] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.676] lstrlenW (lpString="svchost.exe") returned 11 [0057.676] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0057.677] lstrlenW (lpString="audiodg.exe") returned 11 [0057.677] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.677] lstrlenW (lpString="svchost.exe") returned 11 [0057.677] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.678] lstrlenW (lpString="svchost.exe") returned 11 [0057.678] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0057.678] lstrlenW (lpString="dwm.exe") returned 7 [0057.678] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0057.679] lstrlenW (lpString="explorer.exe") returned 12 [0057.679] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0057.679] lstrlenW (lpString="spoolsv.exe") returned 11 [0057.679] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.680] lstrlenW (lpString="svchost.exe") returned 11 [0057.680] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.681] lstrlenW (lpString="taskhost.exe") returned 12 [0057.681] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0057.681] lstrlenW (lpString="taskeng.exe") returned 11 [0057.681] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0057.682] lstrlenW (lpString="prime.exe") returned 9 [0057.682] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0057.682] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0057.682] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0057.683] lstrlenW (lpString="financing.exe") returned 13 [0057.683] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0057.683] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0057.683] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0057.684] lstrlenW (lpString="dg hit.exe") returned 10 [0057.684] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0057.684] lstrlenW (lpString="banners_drops.exe") returned 17 [0057.684] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0057.685] lstrlenW (lpString="vacuum.exe") returned 10 [0057.685] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0057.685] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0057.686] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0057.686] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0057.686] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0057.687] lstrlenW (lpString="holocauststored.exe") returned 19 [0057.687] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0057.687] lstrlenW (lpString="mini.exe") returned 8 [0057.687] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0057.688] lstrlenW (lpString="bi_tiny.exe") returned 11 [0057.688] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0057.688] lstrlenW (lpString="mall_drawn.exe") returned 14 [0057.688] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0057.689] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0057.689] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0057.689] lstrlenW (lpString="distributed.exe") returned 15 [0057.690] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0057.690] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0057.690] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0057.691] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0057.691] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0057.692] lstrlenW (lpString="3dftp.exe") returned 9 [0057.692] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0057.693] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0057.693] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0057.693] lstrlenW (lpString="alftp.exe") returned 9 [0057.693] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0057.694] lstrlenW (lpString="barca.exe") returned 9 [0057.694] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0057.695] lstrlenW (lpString="bitkinex.exe") returned 12 [0057.695] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0057.700] lstrlenW (lpString="coreftp.exe") returned 11 [0057.700] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0057.705] lstrlenW (lpString="far.exe") returned 7 [0057.705] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0057.709] lstrlenW (lpString="filezilla.exe") returned 13 [0057.709] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0057.710] lstrlenW (lpString="flashfxp.exe") returned 12 [0057.710] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0057.710] lstrlenW (lpString="fling.exe") returned 9 [0057.710] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0057.711] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0057.711] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0057.712] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0057.712] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0057.712] lstrlenW (lpString="icq.exe") returned 7 [0057.712] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0057.713] lstrlenW (lpString="leechftp.exe") returned 12 [0057.713] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0057.713] lstrlenW (lpString="ncftp.exe") returned 9 [0057.713] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0057.714] lstrlenW (lpString="notepad.exe") returned 11 [0057.714] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0057.714] lstrlenW (lpString="operamail.exe") returned 13 [0057.714] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0057.715] lstrlenW (lpString="pidgin.exe") returned 10 [0057.715] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0057.858] lstrlenW (lpString="scriptftp.exe") returned 13 [0057.858] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0057.859] lstrlenW (lpString="skype.exe") returned 9 [0057.859] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0057.860] lstrlenW (lpString="smartftp.exe") returned 12 [0057.860] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0057.861] lstrlenW (lpString="thunderbird.exe") returned 15 [0057.861] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0057.862] lstrlenW (lpString="totalcmd.exe") returned 12 [0057.862] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0057.862] lstrlenW (lpString="trillian.exe") returned 12 [0057.862] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0057.863] lstrlenW (lpString="webdrive.exe") returned 12 [0057.863] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0057.864] lstrlenW (lpString="whatsapp.exe") returned 12 [0057.864] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0057.865] lstrlenW (lpString="winscp.exe") returned 10 [0057.865] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0057.866] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0057.866] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0057.866] lstrlenW (lpString="active-charge.exe") returned 17 [0057.867] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0057.868] lstrlenW (lpString="accupos.exe") returned 11 [0057.868] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0057.868] lstrlenW (lpString="afr38.exe") returned 9 [0057.868] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0057.869] lstrlenW (lpString="aldelo.exe") returned 10 [0057.870] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0057.872] lstrlenW (lpString="ccv_server.exe") returned 14 [0057.872] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0057.873] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0057.873] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0057.873] lstrlenW (lpString="creditservice.exe") returned 17 [0057.873] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0057.877] lstrlenW (lpString="edcsvr.exe") returned 10 [0057.877] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0057.877] lstrlenW (lpString="fpos.exe") returned 8 [0057.877] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0057.878] lstrlenW (lpString="isspos.exe") returned 10 [0057.878] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0057.879] lstrlenW (lpString="mxslipstream.exe") returned 16 [0057.879] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0057.880] lstrlenW (lpString="omnipos.exe") returned 11 [0057.880] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0057.880] lstrlenW (lpString="spcwin.exe") returned 10 [0057.880] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0057.881] lstrlenW (lpString="spgagentservice.exe") returned 19 [0057.881] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0057.882] lstrlenW (lpString="utg2.exe") returned 8 [0057.882] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0057.882] lstrlenW (lpString="focuses.exe") returned 11 [0057.882] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0057.883] lstrlenW (lpString="fi fence.exe") returned 12 [0057.883] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0057.884] lstrlenW (lpString="knight.exe") returned 10 [0057.884] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0057.884] lstrlenW (lpString="library.exe") returned 11 [0057.885] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.885] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0057.885] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.886] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0057.886] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.886] lstrlenW (lpString="taskhost.exe") returned 12 [0057.886] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0057.887] lstrlenW (lpString="winhost.exe") returned 11 [0057.887] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0057.888] lstrlenW (lpString="cmd.exe") returned 7 [0057.888] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.888] lstrlenW (lpString="conhost.exe") returned 11 [0057.888] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0057.889] lstrlenW (lpString="vssadmin.exe") returned 12 [0057.889] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0057.890] lstrlenW (lpString="VSSVC.exe") returned 9 [0057.890] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.890] lstrlenW (lpString="svchost.exe") returned 11 [0057.891] Process32NextW (in: hSnapshot=0x208, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0057.891] CloseHandle (hObject=0x208) returned 1 [0057.891] Sleep (dwMilliseconds=0x1f4) [0058.398] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3510 [0058.398] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0058.398] GetLastError () returned 0xea [0058.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3f3f0a8 [0058.399] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f3f0a8, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f3f0a8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0058.399] CloseServiceHandle (hSCObject=0x5a3510) returned 1 [0058.400] lstrlenW (lpString="Appinfo") returned 7 [0058.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0058.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0058.400] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0058.400] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0058.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0058.400] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0058.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0058.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0058.400] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0058.400] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0058.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0058.400] lstrlenW (lpString="AudioSrv") returned 8 [0058.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0058.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0058.400] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0058.400] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0058.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0058.400] lstrlenW (lpString="BFE") returned 3 [0058.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0058.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0058.400] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0058.400] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0058.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0058.400] lstrlenW (lpString="CryptSvc") returned 8 [0058.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0058.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0058.400] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0058.400] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0058.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0058.400] lstrlenW (lpString="CscService") returned 10 [0058.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0058.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0058.401] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0058.401] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0058.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0058.401] lstrlenW (lpString="DcomLaunch") returned 10 [0058.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0058.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0058.401] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0058.401] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0058.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0058.401] lstrlenW (lpString="Dhcp") returned 4 [0058.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0058.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0058.401] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0058.401] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0058.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0058.401] lstrlenW (lpString="Dnscache") returned 8 [0058.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0058.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0058.401] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0058.401] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0058.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0058.401] lstrlenW (lpString="DPS") returned 3 [0058.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0058.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0058.401] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0058.401] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0058.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0058.401] lstrlenW (lpString="eventlog") returned 8 [0058.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0058.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0058.402] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0058.402] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0058.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0058.402] lstrlenW (lpString="EventSystem") returned 11 [0058.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0058.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0058.402] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0058.402] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0058.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0058.402] lstrlenW (lpString="gpsvc") returned 5 [0058.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0058.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0058.402] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0058.402] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0058.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0058.402] lstrlenW (lpString="iphlpsvc") returned 8 [0058.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0058.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0058.402] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0058.402] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0058.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0058.402] lstrlenW (lpString="LanmanServer") returned 12 [0058.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0058.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0058.402] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0058.402] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0058.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0058.402] lstrlenW (lpString="LanmanWorkstation") returned 17 [0058.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0058.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0058.402] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0058.402] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0058.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0058.402] lstrlenW (lpString="lmhosts") returned 7 [0058.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0058.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0058.403] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0058.403] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0058.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0058.403] lstrlenW (lpString="MMCSS") returned 5 [0058.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0058.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0058.403] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0058.403] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0058.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0058.403] lstrlenW (lpString="MpsSvc") returned 6 [0058.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0058.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0058.403] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0058.403] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0058.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0058.403] lstrlenW (lpString="Netman") returned 6 [0058.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0058.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0058.403] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0058.403] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0058.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0058.403] lstrlenW (lpString="netprofm") returned 8 [0058.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0058.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0058.403] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0058.403] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0058.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0058.403] lstrlenW (lpString="NlaSvc") returned 6 [0058.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0058.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0058.403] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0058.403] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0058.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0058.403] lstrlenW (lpString="nsi") returned 3 [0058.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0058.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0058.404] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0058.404] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0058.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0058.404] lstrlenW (lpString="PcaSvc") returned 6 [0058.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0058.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0058.404] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0058.404] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0058.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0058.404] lstrlenW (lpString="PlugPlay") returned 8 [0058.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0058.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0058.404] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0058.404] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0058.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0058.404] lstrlenW (lpString="Power") returned 5 [0058.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0058.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0058.404] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0058.404] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0058.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0058.404] lstrlenW (lpString="ProfSvc") returned 7 [0058.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0058.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0058.404] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0058.404] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0058.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0058.404] lstrlenW (lpString="RpcEptMapper") returned 12 [0058.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0058.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0058.404] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0058.404] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0058.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0058.404] lstrlenW (lpString="RpcSs") returned 5 [0058.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0058.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0058.405] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0058.405] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0058.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0058.405] lstrlenW (lpString="SamSs") returned 5 [0058.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0058.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0058.405] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0058.405] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0058.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0058.405] lstrlenW (lpString="Schedule") returned 8 [0058.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0058.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0058.405] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0058.405] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0058.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0058.405] lstrlenW (lpString="SENS") returned 4 [0058.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0058.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0058.405] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0058.405] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0058.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0058.405] lstrlenW (lpString="ShellHWDetection") returned 16 [0058.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0058.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0058.405] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0058.405] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0058.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0058.405] lstrlenW (lpString="Spooler") returned 7 [0058.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0058.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0058.405] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0058.405] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0058.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0058.405] lstrlenW (lpString="swprv") returned 5 [0058.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0058.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0058.406] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0058.406] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0058.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0058.406] lstrlenW (lpString="SysMain") returned 7 [0058.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0058.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0058.406] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0058.406] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0058.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0058.406] lstrlenW (lpString="Themes") returned 6 [0058.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0058.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0058.406] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0058.406] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0058.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0058.406] lstrlenW (lpString="TrkWks") returned 6 [0058.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0058.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0058.406] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0058.406] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0058.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0058.406] lstrlenW (lpString="UxSms") returned 5 [0058.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0058.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0058.406] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0058.406] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0058.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0058.406] lstrlenW (lpString="VSS") returned 3 [0058.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0058.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0058.407] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0058.407] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0058.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0058.407] lstrlenW (lpString="WdiServiceHost") returned 14 [0058.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0058.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0058.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0058.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0058.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0058.407] lstrlenW (lpString="WdiSystemHost") returned 13 [0058.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0058.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0058.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0058.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0058.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0058.407] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0058.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0058.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0058.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0058.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0058.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0058.407] lstrlenW (lpString="Winmgmt") returned 7 [0058.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0058.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0058.407] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0058.407] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0058.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0058.407] lstrlenW (lpString="WPDBusEnum") returned 10 [0058.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0058.408] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0058.408] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0058.408] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0058.408] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0058.408] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f3f0a8 | out: hHeap=0x500000) returned 1 [0058.408] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c8 [0058.412] Process32FirstW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.412] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0058.413] lstrlenW (lpString="System") returned 6 [0058.413] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0058.413] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0058.413] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0058.413] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0058.413] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0058.413] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0058.413] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0058.414] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0058.414] lstrlenW (lpString="smss.exe") returned 8 [0058.414] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0058.414] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0058.414] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0058.414] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0058.414] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0058.414] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0058.414] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0058.414] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.415] lstrlenW (lpString="csrss.exe") returned 9 [0058.415] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0058.415] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0058.415] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0058.415] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0058.415] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0058.415] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0058.415] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0058.415] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0058.415] lstrlenW (lpString="wininit.exe") returned 11 [0058.415] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0058.416] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0058.416] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0058.416] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.416] lstrlenW (lpString="csrss.exe") returned 9 [0058.416] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0058.417] lstrlenW (lpString="winlogon.exe") returned 12 [0058.417] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0058.417] lstrlenW (lpString="services.exe") returned 12 [0058.417] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0058.418] lstrlenW (lpString="lsass.exe") returned 9 [0058.418] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0058.418] lstrlenW (lpString="lsm.exe") returned 7 [0058.418] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.419] lstrlenW (lpString="svchost.exe") returned 11 [0058.419] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.419] lstrlenW (lpString="svchost.exe") returned 11 [0058.420] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.420] lstrlenW (lpString="svchost.exe") returned 11 [0058.420] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.421] lstrlenW (lpString="svchost.exe") returned 11 [0058.421] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.421] lstrlenW (lpString="svchost.exe") returned 11 [0058.421] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0058.422] lstrlenW (lpString="audiodg.exe") returned 11 [0058.422] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.422] lstrlenW (lpString="svchost.exe") returned 11 [0058.422] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.423] lstrlenW (lpString="svchost.exe") returned 11 [0058.423] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0058.423] lstrlenW (lpString="dwm.exe") returned 7 [0058.423] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0058.424] lstrlenW (lpString="explorer.exe") returned 12 [0058.424] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0058.424] lstrlenW (lpString="spoolsv.exe") returned 11 [0058.424] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.425] lstrlenW (lpString="svchost.exe") returned 11 [0058.425] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0058.425] lstrlenW (lpString="taskhost.exe") returned 12 [0058.425] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0058.426] lstrlenW (lpString="taskeng.exe") returned 11 [0058.426] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0058.426] lstrlenW (lpString="prime.exe") returned 9 [0058.426] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0058.427] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0058.427] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0058.427] lstrlenW (lpString="financing.exe") returned 13 [0058.428] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0058.428] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0058.428] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0058.429] lstrlenW (lpString="dg hit.exe") returned 10 [0058.429] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0058.430] lstrlenW (lpString="banners_drops.exe") returned 17 [0058.430] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0058.430] lstrlenW (lpString="vacuum.exe") returned 10 [0058.430] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0058.431] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0058.431] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0058.431] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0058.432] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0058.432] lstrlenW (lpString="holocauststored.exe") returned 19 [0058.432] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0058.432] lstrlenW (lpString="mini.exe") returned 8 [0058.433] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0058.433] lstrlenW (lpString="bi_tiny.exe") returned 11 [0058.433] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0058.434] lstrlenW (lpString="mall_drawn.exe") returned 14 [0058.434] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0058.434] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0058.434] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0058.435] lstrlenW (lpString="distributed.exe") returned 15 [0058.435] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0058.435] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0058.435] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0058.436] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0058.436] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0058.436] lstrlenW (lpString="3dftp.exe") returned 9 [0058.436] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0058.437] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0058.437] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0058.437] lstrlenW (lpString="alftp.exe") returned 9 [0058.437] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0058.438] lstrlenW (lpString="barca.exe") returned 9 [0058.438] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0058.438] lstrlenW (lpString="bitkinex.exe") returned 12 [0058.438] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0058.439] lstrlenW (lpString="coreftp.exe") returned 11 [0058.439] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0058.439] lstrlenW (lpString="far.exe") returned 7 [0058.439] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0058.440] lstrlenW (lpString="filezilla.exe") returned 13 [0058.440] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0058.440] lstrlenW (lpString="flashfxp.exe") returned 12 [0058.440] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0058.441] lstrlenW (lpString="fling.exe") returned 9 [0058.441] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0058.441] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0058.441] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0058.442] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0058.442] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0058.442] lstrlenW (lpString="icq.exe") returned 7 [0058.442] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0058.443] lstrlenW (lpString="leechftp.exe") returned 12 [0058.443] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0058.443] lstrlenW (lpString="ncftp.exe") returned 9 [0058.443] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0058.444] lstrlenW (lpString="notepad.exe") returned 11 [0058.444] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0058.445] lstrlenW (lpString="operamail.exe") returned 13 [0058.445] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0058.446] lstrlenW (lpString="pidgin.exe") returned 10 [0058.446] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0058.447] lstrlenW (lpString="scriptftp.exe") returned 13 [0058.447] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0058.447] lstrlenW (lpString="skype.exe") returned 9 [0058.447] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0058.448] lstrlenW (lpString="smartftp.exe") returned 12 [0058.448] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0058.449] lstrlenW (lpString="thunderbird.exe") returned 15 [0058.449] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0058.450] lstrlenW (lpString="totalcmd.exe") returned 12 [0058.450] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0058.451] lstrlenW (lpString="trillian.exe") returned 12 [0058.451] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0058.452] lstrlenW (lpString="webdrive.exe") returned 12 [0058.452] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0058.452] lstrlenW (lpString="whatsapp.exe") returned 12 [0058.452] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0058.453] lstrlenW (lpString="winscp.exe") returned 10 [0058.453] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0058.454] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0058.454] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0058.455] lstrlenW (lpString="active-charge.exe") returned 17 [0058.455] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0058.455] lstrlenW (lpString="accupos.exe") returned 11 [0058.456] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0058.456] lstrlenW (lpString="afr38.exe") returned 9 [0058.456] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0058.457] lstrlenW (lpString="aldelo.exe") returned 10 [0058.457] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0058.458] lstrlenW (lpString="ccv_server.exe") returned 14 [0058.458] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0058.458] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0058.459] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0058.459] lstrlenW (lpString="creditservice.exe") returned 17 [0058.459] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0058.460] lstrlenW (lpString="edcsvr.exe") returned 10 [0058.460] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0058.461] lstrlenW (lpString="fpos.exe") returned 8 [0058.461] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0058.462] lstrlenW (lpString="isspos.exe") returned 10 [0058.462] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0058.462] lstrlenW (lpString="mxslipstream.exe") returned 16 [0058.462] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0058.463] lstrlenW (lpString="omnipos.exe") returned 11 [0058.463] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0058.464] lstrlenW (lpString="spcwin.exe") returned 10 [0058.464] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0058.464] lstrlenW (lpString="spgagentservice.exe") returned 19 [0058.465] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0058.465] lstrlenW (lpString="utg2.exe") returned 8 [0058.465] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0058.466] lstrlenW (lpString="focuses.exe") returned 11 [0058.466] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0058.467] lstrlenW (lpString="fi fence.exe") returned 12 [0058.467] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0058.467] lstrlenW (lpString="knight.exe") returned 10 [0058.467] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0058.468] lstrlenW (lpString="library.exe") returned 11 [0058.468] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.469] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0058.469] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.469] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0058.469] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0058.470] lstrlenW (lpString="taskhost.exe") returned 12 [0058.470] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0058.471] lstrlenW (lpString="winhost.exe") returned 11 [0058.471] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0058.471] lstrlenW (lpString="cmd.exe") returned 7 [0058.471] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.472] lstrlenW (lpString="conhost.exe") returned 11 [0058.472] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0058.472] lstrlenW (lpString="vssadmin.exe") returned 12 [0058.472] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0058.473] lstrlenW (lpString="VSSVC.exe") returned 9 [0058.473] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.474] lstrlenW (lpString="svchost.exe") returned 11 [0058.474] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0058.474] CloseHandle (hObject=0x1c8) returned 1 [0058.474] Sleep (dwMilliseconds=0x1f4) [0059.055] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3510 [0059.055] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0059.056] GetLastError () returned 0xea [0059.056] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3f3f0a8 [0059.056] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f3f0a8, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f3f0a8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0059.057] CloseServiceHandle (hSCObject=0x5a3510) returned 1 [0059.057] lstrlenW (lpString="Appinfo") returned 7 [0059.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0059.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0059.057] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0059.057] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0059.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0059.058] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0059.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.058] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0059.058] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0059.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0059.058] lstrlenW (lpString="AudioSrv") returned 8 [0059.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0059.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0059.058] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0059.058] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0059.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0059.058] lstrlenW (lpString="BFE") returned 3 [0059.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0059.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0059.058] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0059.058] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0059.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0059.058] lstrlenW (lpString="CryptSvc") returned 8 [0059.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0059.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0059.058] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0059.058] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0059.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0059.058] lstrlenW (lpString="CscService") returned 10 [0059.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0059.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0059.059] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0059.059] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0059.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0059.059] lstrlenW (lpString="DcomLaunch") returned 10 [0059.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.059] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0059.059] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0059.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0059.059] lstrlenW (lpString="Dhcp") returned 4 [0059.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0059.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0059.059] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0059.059] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0059.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0059.059] lstrlenW (lpString="Dnscache") returned 8 [0059.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0059.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0059.059] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0059.059] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0059.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0059.059] lstrlenW (lpString="DPS") returned 3 [0059.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0059.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0059.059] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0059.059] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0059.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0059.060] lstrlenW (lpString="eventlog") returned 8 [0059.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0059.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0059.060] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0059.060] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0059.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0059.060] lstrlenW (lpString="EventSystem") returned 11 [0059.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0059.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0059.060] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0059.060] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0059.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0059.060] lstrlenW (lpString="gpsvc") returned 5 [0059.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0059.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0059.060] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0059.060] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0059.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0059.060] lstrlenW (lpString="iphlpsvc") returned 8 [0059.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.060] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0059.060] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0059.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0059.060] lstrlenW (lpString="LanmanServer") returned 12 [0059.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0059.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0059.061] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0059.061] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0059.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0059.061] lstrlenW (lpString="LanmanWorkstation") returned 17 [0059.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.061] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0059.061] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0059.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0059.061] lstrlenW (lpString="lmhosts") returned 7 [0059.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0059.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0059.061] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0059.061] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0059.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0059.061] lstrlenW (lpString="MMCSS") returned 5 [0059.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0059.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0059.061] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0059.061] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0059.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0059.061] lstrlenW (lpString="MpsSvc") returned 6 [0059.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0059.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0059.061] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0059.061] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0059.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0059.061] lstrlenW (lpString="Netman") returned 6 [0059.062] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0059.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0059.062] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0059.062] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0059.062] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0059.062] lstrlenW (lpString="netprofm") returned 8 [0059.062] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0059.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0059.062] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0059.062] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0059.062] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0059.062] lstrlenW (lpString="NlaSvc") returned 6 [0059.062] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0059.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0059.062] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0059.062] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0059.062] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0059.062] lstrlenW (lpString="nsi") returned 3 [0059.062] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0059.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0059.062] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0059.062] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0059.062] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0059.062] lstrlenW (lpString="PcaSvc") returned 6 [0059.062] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0059.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0059.062] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0059.063] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0059.063] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0059.063] lstrlenW (lpString="PlugPlay") returned 8 [0059.063] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0059.063] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0059.063] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0059.063] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0059.063] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0059.063] lstrlenW (lpString="Power") returned 5 [0059.063] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0059.063] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0059.063] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0059.063] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0059.063] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0059.063] lstrlenW (lpString="ProfSvc") returned 7 [0059.063] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0059.063] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0059.063] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0059.063] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0059.063] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0059.063] lstrlenW (lpString="RpcEptMapper") returned 12 [0059.063] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0059.063] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0059.063] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0059.063] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0059.063] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0059.063] lstrlenW (lpString="RpcSs") returned 5 [0059.063] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0059.064] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0059.064] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0059.064] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0059.064] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0059.064] lstrlenW (lpString="SamSs") returned 5 [0059.064] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0059.064] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0059.064] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0059.064] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0059.064] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0059.064] lstrlenW (lpString="Schedule") returned 8 [0059.064] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0059.064] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0059.064] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0059.064] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0059.064] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0059.064] lstrlenW (lpString="SENS") returned 4 [0059.064] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0059.064] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0059.064] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0059.064] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0059.064] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0059.064] lstrlenW (lpString="ShellHWDetection") returned 16 [0059.064] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0059.064] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0059.064] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0059.064] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0059.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0059.065] lstrlenW (lpString="Spooler") returned 7 [0059.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0059.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0059.065] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0059.065] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0059.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0059.065] lstrlenW (lpString="swprv") returned 5 [0059.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0059.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0059.065] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0059.065] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0059.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0059.065] lstrlenW (lpString="SysMain") returned 7 [0059.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0059.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0059.065] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0059.065] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0059.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0059.065] lstrlenW (lpString="Themes") returned 6 [0059.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0059.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0059.065] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0059.065] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0059.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0059.065] lstrlenW (lpString="TrkWks") returned 6 [0059.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0059.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0059.066] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0059.066] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0059.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0059.066] lstrlenW (lpString="UxSms") returned 5 [0059.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0059.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0059.066] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0059.066] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0059.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0059.066] lstrlenW (lpString="VSS") returned 3 [0059.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0059.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0059.066] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0059.066] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0059.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0059.066] lstrlenW (lpString="WdiServiceHost") returned 14 [0059.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0059.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0059.066] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0059.066] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0059.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0059.066] lstrlenW (lpString="WdiSystemHost") returned 13 [0059.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0059.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0059.066] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0059.066] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0059.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0059.066] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0059.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0059.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0059.067] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0059.067] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0059.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0059.067] lstrlenW (lpString="Winmgmt") returned 7 [0059.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0059.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0059.067] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0059.067] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0059.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0059.067] lstrlenW (lpString="WPDBusEnum") returned 10 [0059.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0059.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0059.067] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0059.067] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0059.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0059.067] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f3f0a8 | out: hHeap=0x500000) returned 1 [0059.067] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c8 [0059.072] Process32FirstW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0059.073] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0059.073] lstrlenW (lpString="System") returned 6 [0059.073] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0059.073] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0059.073] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0059.074] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0059.074] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0059.074] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0059.074] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0059.074] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0059.074] lstrlenW (lpString="smss.exe") returned 8 [0059.074] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0059.074] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0059.074] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0059.074] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0059.074] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0059.075] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0059.075] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0059.075] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.075] lstrlenW (lpString="csrss.exe") returned 9 [0059.075] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0059.075] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0059.075] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0059.075] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0059.075] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0059.075] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0059.076] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0059.076] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0059.076] lstrlenW (lpString="wininit.exe") returned 11 [0059.076] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0059.076] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0059.076] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0059.076] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.077] lstrlenW (lpString="csrss.exe") returned 9 [0059.077] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0059.078] lstrlenW (lpString="winlogon.exe") returned 12 [0059.078] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0059.079] lstrlenW (lpString="services.exe") returned 12 [0059.079] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0059.079] lstrlenW (lpString="lsass.exe") returned 9 [0059.079] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0059.080] lstrlenW (lpString="lsm.exe") returned 7 [0059.080] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.081] lstrlenW (lpString="svchost.exe") returned 11 [0059.081] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.081] lstrlenW (lpString="svchost.exe") returned 11 [0059.081] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.082] lstrlenW (lpString="svchost.exe") returned 11 [0059.082] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.083] lstrlenW (lpString="svchost.exe") returned 11 [0059.083] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.083] lstrlenW (lpString="svchost.exe") returned 11 [0059.083] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0059.095] lstrlenW (lpString="audiodg.exe") returned 11 [0059.095] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.095] lstrlenW (lpString="svchost.exe") returned 11 [0059.096] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.096] lstrlenW (lpString="svchost.exe") returned 11 [0059.096] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0059.097] lstrlenW (lpString="dwm.exe") returned 7 [0059.097] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0059.098] lstrlenW (lpString="explorer.exe") returned 12 [0059.098] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0059.098] lstrlenW (lpString="spoolsv.exe") returned 11 [0059.098] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.099] lstrlenW (lpString="svchost.exe") returned 11 [0059.099] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0059.147] lstrlenW (lpString="taskhost.exe") returned 12 [0059.147] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0059.148] lstrlenW (lpString="taskeng.exe") returned 11 [0059.148] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0059.149] lstrlenW (lpString="prime.exe") returned 9 [0059.149] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0059.149] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0059.149] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0059.150] lstrlenW (lpString="financing.exe") returned 13 [0059.150] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0059.151] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0059.151] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0059.151] lstrlenW (lpString="dg hit.exe") returned 10 [0059.152] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0059.152] lstrlenW (lpString="banners_drops.exe") returned 17 [0059.152] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0059.153] lstrlenW (lpString="vacuum.exe") returned 10 [0059.153] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0059.153] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0059.154] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0059.154] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0059.154] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0059.155] lstrlenW (lpString="holocauststored.exe") returned 19 [0059.155] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0059.155] lstrlenW (lpString="mini.exe") returned 8 [0059.156] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0059.156] lstrlenW (lpString="bi_tiny.exe") returned 11 [0059.156] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0059.157] lstrlenW (lpString="mall_drawn.exe") returned 14 [0059.157] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0059.158] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0059.158] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0059.158] lstrlenW (lpString="distributed.exe") returned 15 [0059.158] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0059.159] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0059.159] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0059.160] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0059.160] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0059.160] lstrlenW (lpString="3dftp.exe") returned 9 [0059.160] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0059.161] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0059.161] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0059.162] lstrlenW (lpString="alftp.exe") returned 9 [0059.164] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0059.165] lstrlenW (lpString="barca.exe") returned 9 [0059.165] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0059.165] lstrlenW (lpString="bitkinex.exe") returned 12 [0059.166] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0059.166] lstrlenW (lpString="coreftp.exe") returned 11 [0059.166] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0059.167] lstrlenW (lpString="far.exe") returned 7 [0059.167] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0059.168] lstrlenW (lpString="filezilla.exe") returned 13 [0059.168] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0059.168] lstrlenW (lpString="flashfxp.exe") returned 12 [0059.168] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0059.169] lstrlenW (lpString="fling.exe") returned 9 [0059.169] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0059.170] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0059.170] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0059.170] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0059.170] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0059.171] lstrlenW (lpString="icq.exe") returned 7 [0059.171] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0059.172] lstrlenW (lpString="leechftp.exe") returned 12 [0059.172] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0059.173] lstrlenW (lpString="ncftp.exe") returned 9 [0059.173] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0059.173] lstrlenW (lpString="notepad.exe") returned 11 [0059.173] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0059.174] lstrlenW (lpString="operamail.exe") returned 13 [0059.174] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0059.175] lstrlenW (lpString="pidgin.exe") returned 10 [0059.175] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0059.176] lstrlenW (lpString="scriptftp.exe") returned 13 [0059.176] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0059.177] lstrlenW (lpString="skype.exe") returned 9 [0059.177] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0059.179] lstrlenW (lpString="smartftp.exe") returned 12 [0059.179] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0059.180] lstrlenW (lpString="thunderbird.exe") returned 15 [0059.180] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0059.181] lstrlenW (lpString="totalcmd.exe") returned 12 [0059.181] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0059.182] lstrlenW (lpString="trillian.exe") returned 12 [0059.182] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0059.183] lstrlenW (lpString="webdrive.exe") returned 12 [0059.183] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0059.184] lstrlenW (lpString="whatsapp.exe") returned 12 [0059.184] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0059.185] lstrlenW (lpString="winscp.exe") returned 10 [0059.185] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0059.186] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0059.186] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0059.187] lstrlenW (lpString="active-charge.exe") returned 17 [0059.187] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0059.188] lstrlenW (lpString="accupos.exe") returned 11 [0059.188] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0059.189] lstrlenW (lpString="afr38.exe") returned 9 [0059.189] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0059.190] lstrlenW (lpString="aldelo.exe") returned 10 [0059.190] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0059.191] lstrlenW (lpString="ccv_server.exe") returned 14 [0059.191] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0059.192] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0059.192] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0059.193] lstrlenW (lpString="creditservice.exe") returned 17 [0059.193] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0059.275] lstrlenW (lpString="edcsvr.exe") returned 10 [0059.275] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0059.276] lstrlenW (lpString="fpos.exe") returned 8 [0059.276] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0059.277] lstrlenW (lpString="isspos.exe") returned 10 [0059.277] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0059.278] lstrlenW (lpString="mxslipstream.exe") returned 16 [0059.278] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0059.282] lstrlenW (lpString="omnipos.exe") returned 11 [0059.282] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0059.362] lstrlenW (lpString="spcwin.exe") returned 10 [0059.362] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0059.378] lstrlenW (lpString="spgagentservice.exe") returned 19 [0059.378] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0059.379] lstrlenW (lpString="utg2.exe") returned 8 [0059.379] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0059.380] lstrlenW (lpString="focuses.exe") returned 11 [0059.380] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0059.386] lstrlenW (lpString="fi fence.exe") returned 12 [0059.386] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0059.397] lstrlenW (lpString="knight.exe") returned 10 [0059.397] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0059.404] lstrlenW (lpString="library.exe") returned 11 [0059.404] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0059.415] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0059.416] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0059.423] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0059.423] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0059.425] lstrlenW (lpString="taskhost.exe") returned 12 [0059.425] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0059.425] lstrlenW (lpString="winhost.exe") returned 11 [0059.425] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0059.426] lstrlenW (lpString="cmd.exe") returned 7 [0059.426] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0059.427] lstrlenW (lpString="conhost.exe") returned 11 [0059.427] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0059.428] lstrlenW (lpString="vssadmin.exe") returned 12 [0059.428] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0059.429] lstrlenW (lpString="VSSVC.exe") returned 9 [0059.429] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.429] lstrlenW (lpString="svchost.exe") returned 11 [0059.429] Process32NextW (in: hSnapshot=0x1c8, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0059.430] CloseHandle (hObject=0x1c8) returned 1 [0059.430] Sleep (dwMilliseconds=0x1f4) [0060.170] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3510 [0060.170] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0060.170] GetLastError () returned 0xea [0060.170] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3f410a8 [0060.171] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f410a8, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f410a8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0060.172] CloseServiceHandle (hSCObject=0x5a3510) returned 1 [0060.172] lstrlenW (lpString="Appinfo") returned 7 [0060.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0060.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0060.172] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0060.172] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0060.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0060.172] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0060.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0060.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0060.172] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0060.172] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0060.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0060.172] lstrlenW (lpString="AudioSrv") returned 8 [0060.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0060.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0060.172] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0060.172] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0060.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0060.172] lstrlenW (lpString="BFE") returned 3 [0060.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0060.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0060.172] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0060.172] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0060.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0060.172] lstrlenW (lpString="CryptSvc") returned 8 [0060.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0060.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0060.173] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0060.173] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0060.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0060.173] lstrlenW (lpString="CscService") returned 10 [0060.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0060.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0060.173] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0060.173] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0060.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0060.173] lstrlenW (lpString="DcomLaunch") returned 10 [0060.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0060.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0060.173] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0060.173] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0060.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0060.173] lstrlenW (lpString="Dhcp") returned 4 [0060.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0060.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0060.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0060.173] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0060.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0060.173] lstrlenW (lpString="Dnscache") returned 8 [0060.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0060.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0060.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0060.173] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0060.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0060.173] lstrlenW (lpString="DPS") returned 3 [0060.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0060.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0060.173] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0060.173] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0060.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0060.173] lstrlenW (lpString="eventlog") returned 8 [0060.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0060.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0060.174] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0060.174] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0060.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0060.174] lstrlenW (lpString="EventSystem") returned 11 [0060.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0060.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0060.174] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0060.174] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0060.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0060.174] lstrlenW (lpString="gpsvc") returned 5 [0060.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0060.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0060.174] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0060.174] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0060.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0060.174] lstrlenW (lpString="iphlpsvc") returned 8 [0060.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0060.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0060.174] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0060.174] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0060.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0060.174] lstrlenW (lpString="LanmanServer") returned 12 [0060.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0060.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0060.174] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0060.174] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0060.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0060.174] lstrlenW (lpString="LanmanWorkstation") returned 17 [0060.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0060.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0060.174] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0060.174] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0060.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0060.175] lstrlenW (lpString="lmhosts") returned 7 [0060.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0060.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0060.175] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0060.175] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0060.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0060.175] lstrlenW (lpString="MMCSS") returned 5 [0060.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0060.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0060.175] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0060.175] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0060.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0060.175] lstrlenW (lpString="MpsSvc") returned 6 [0060.182] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0060.182] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0060.182] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0060.182] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0060.182] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0060.182] lstrlenW (lpString="Netman") returned 6 [0060.182] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0060.182] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0060.182] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0060.182] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0060.182] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0060.182] lstrlenW (lpString="netprofm") returned 8 [0060.182] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0060.182] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0060.182] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0060.182] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0060.182] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0060.182] lstrlenW (lpString="NlaSvc") returned 6 [0060.182] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0060.182] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0060.182] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0060.182] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0060.182] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0060.182] lstrlenW (lpString="nsi") returned 3 [0060.182] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0060.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0060.183] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0060.183] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0060.183] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0060.183] lstrlenW (lpString="PcaSvc") returned 6 [0060.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0060.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0060.183] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0060.183] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0060.183] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0060.183] lstrlenW (lpString="PlugPlay") returned 8 [0060.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0060.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0060.183] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0060.183] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0060.183] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0060.183] lstrlenW (lpString="Power") returned 5 [0060.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0060.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0060.183] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0060.183] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0060.183] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0060.183] lstrlenW (lpString="ProfSvc") returned 7 [0060.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0060.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0060.183] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0060.183] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0060.183] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0060.183] lstrlenW (lpString="RpcEptMapper") returned 12 [0060.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0060.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0060.184] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0060.184] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0060.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0060.184] lstrlenW (lpString="RpcSs") returned 5 [0060.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0060.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0060.184] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0060.184] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0060.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0060.184] lstrlenW (lpString="SamSs") returned 5 [0060.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0060.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0060.184] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0060.184] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0060.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0060.184] lstrlenW (lpString="Schedule") returned 8 [0060.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0060.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0060.184] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0060.184] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0060.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0060.184] lstrlenW (lpString="SENS") returned 4 [0060.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0060.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0060.184] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0060.184] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0060.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0060.184] lstrlenW (lpString="ShellHWDetection") returned 16 [0060.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0060.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0060.184] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0060.185] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0060.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0060.185] lstrlenW (lpString="Spooler") returned 7 [0060.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0060.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0060.185] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0060.185] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0060.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0060.185] lstrlenW (lpString="swprv") returned 5 [0060.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0060.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0060.185] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0060.185] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0060.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0060.185] lstrlenW (lpString="SysMain") returned 7 [0060.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0060.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0060.185] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0060.185] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0060.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0060.185] lstrlenW (lpString="Themes") returned 6 [0060.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0060.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0060.185] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0060.185] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0060.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0060.185] lstrlenW (lpString="TrkWks") returned 6 [0060.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0060.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0060.185] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0060.185] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0060.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0060.185] lstrlenW (lpString="UxSms") returned 5 [0060.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0060.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0060.186] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0060.186] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0060.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0060.186] lstrlenW (lpString="VSS") returned 3 [0060.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0060.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0060.186] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0060.186] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0060.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0060.186] lstrlenW (lpString="WdiServiceHost") returned 14 [0060.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0060.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0060.186] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0060.186] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0060.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0060.186] lstrlenW (lpString="WdiSystemHost") returned 13 [0060.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0060.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0060.186] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0060.186] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0060.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0060.186] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0060.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0060.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0060.186] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0060.186] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0060.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0060.186] lstrlenW (lpString="Winmgmt") returned 7 [0060.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0060.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0060.186] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0060.187] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0060.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0060.187] lstrlenW (lpString="WPDBusEnum") returned 10 [0060.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0060.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0060.187] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0060.187] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0060.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0060.187] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f410a8 | out: hHeap=0x500000) returned 1 [0060.187] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ac [0060.193] Process32FirstW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.262] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.278] lstrlenW (lpString="System") returned 6 [0060.278] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0060.279] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0060.279] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0060.279] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0060.279] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0060.279] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0060.279] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0060.279] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.279] lstrlenW (lpString="smss.exe") returned 8 [0060.280] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0060.280] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0060.280] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0060.280] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0060.280] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0060.280] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0060.280] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0060.280] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.280] lstrlenW (lpString="csrss.exe") returned 9 [0060.280] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0060.280] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0060.280] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0060.280] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0060.280] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0060.280] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0060.281] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0060.281] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.281] lstrlenW (lpString="wininit.exe") returned 11 [0060.281] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0060.281] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0060.281] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0060.281] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.282] lstrlenW (lpString="csrss.exe") returned 9 [0060.282] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.283] lstrlenW (lpString="winlogon.exe") returned 12 [0060.283] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.283] lstrlenW (lpString="services.exe") returned 12 [0060.283] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.284] lstrlenW (lpString="lsass.exe") returned 9 [0060.284] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0060.285] lstrlenW (lpString="lsm.exe") returned 7 [0060.285] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.285] lstrlenW (lpString="svchost.exe") returned 11 [0060.285] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.286] lstrlenW (lpString="svchost.exe") returned 11 [0060.286] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.287] lstrlenW (lpString="svchost.exe") returned 11 [0060.287] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.287] lstrlenW (lpString="svchost.exe") returned 11 [0060.287] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.288] lstrlenW (lpString="svchost.exe") returned 11 [0060.288] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.289] lstrlenW (lpString="audiodg.exe") returned 11 [0060.289] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.289] lstrlenW (lpString="svchost.exe") returned 11 [0060.290] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.290] lstrlenW (lpString="svchost.exe") returned 11 [0060.290] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.291] lstrlenW (lpString="dwm.exe") returned 7 [0060.291] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.292] lstrlenW (lpString="explorer.exe") returned 12 [0060.292] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.292] lstrlenW (lpString="spoolsv.exe") returned 11 [0060.292] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.293] lstrlenW (lpString="svchost.exe") returned 11 [0060.293] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.294] lstrlenW (lpString="taskhost.exe") returned 12 [0060.294] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0060.294] lstrlenW (lpString="taskeng.exe") returned 11 [0060.294] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0060.295] lstrlenW (lpString="prime.exe") returned 9 [0060.295] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0060.296] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0060.296] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0060.296] lstrlenW (lpString="financing.exe") returned 13 [0060.296] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0060.297] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0060.297] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0060.298] lstrlenW (lpString="dg hit.exe") returned 10 [0060.298] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0060.298] lstrlenW (lpString="banners_drops.exe") returned 17 [0060.298] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0060.299] lstrlenW (lpString="vacuum.exe") returned 10 [0060.299] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0060.300] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0060.300] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0060.300] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0060.300] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0060.462] lstrlenW (lpString="holocauststored.exe") returned 19 [0060.541] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0060.541] lstrlenW (lpString="mini.exe") returned 8 [0060.542] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0060.542] lstrlenW (lpString="bi_tiny.exe") returned 11 [0060.542] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0060.543] lstrlenW (lpString="mall_drawn.exe") returned 14 [0060.543] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0060.544] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0060.544] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0060.544] lstrlenW (lpString="distributed.exe") returned 15 [0060.545] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0060.545] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0060.545] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0060.546] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0060.546] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0060.547] lstrlenW (lpString="3dftp.exe") returned 9 [0060.547] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0060.548] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0060.548] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0060.548] lstrlenW (lpString="alftp.exe") returned 9 [0060.548] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0060.549] lstrlenW (lpString="barca.exe") returned 9 [0060.549] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0060.550] lstrlenW (lpString="bitkinex.exe") returned 12 [0060.550] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0060.551] lstrlenW (lpString="coreftp.exe") returned 11 [0060.551] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0060.552] lstrlenW (lpString="far.exe") returned 7 [0060.552] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0060.553] lstrlenW (lpString="filezilla.exe") returned 13 [0060.553] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0060.553] lstrlenW (lpString="flashfxp.exe") returned 12 [0060.553] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0060.554] lstrlenW (lpString="fling.exe") returned 9 [0060.554] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0060.555] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0060.555] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0060.555] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0060.555] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0060.556] lstrlenW (lpString="icq.exe") returned 7 [0060.556] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0060.557] lstrlenW (lpString="leechftp.exe") returned 12 [0060.557] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0060.557] lstrlenW (lpString="ncftp.exe") returned 9 [0060.558] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0060.558] lstrlenW (lpString="notepad.exe") returned 11 [0060.558] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0060.559] lstrlenW (lpString="operamail.exe") returned 13 [0060.559] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0060.560] lstrlenW (lpString="pidgin.exe") returned 10 [0060.560] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0060.561] lstrlenW (lpString="scriptftp.exe") returned 13 [0060.561] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0060.562] lstrlenW (lpString="skype.exe") returned 9 [0060.562] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0060.563] lstrlenW (lpString="smartftp.exe") returned 12 [0060.563] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0060.564] lstrlenW (lpString="thunderbird.exe") returned 15 [0060.564] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0060.566] lstrlenW (lpString="totalcmd.exe") returned 12 [0060.566] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0060.567] lstrlenW (lpString="trillian.exe") returned 12 [0060.567] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0060.568] lstrlenW (lpString="webdrive.exe") returned 12 [0060.568] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0060.569] lstrlenW (lpString="whatsapp.exe") returned 12 [0060.569] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0060.570] lstrlenW (lpString="winscp.exe") returned 10 [0060.570] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0060.571] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0060.572] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0060.572] lstrlenW (lpString="active-charge.exe") returned 17 [0060.573] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0060.573] lstrlenW (lpString="accupos.exe") returned 11 [0060.574] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0060.574] lstrlenW (lpString="afr38.exe") returned 9 [0060.575] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0060.576] lstrlenW (lpString="aldelo.exe") returned 10 [0060.576] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0060.577] lstrlenW (lpString="ccv_server.exe") returned 14 [0060.577] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0060.577] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0060.578] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0060.578] lstrlenW (lpString="creditservice.exe") returned 17 [0060.579] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0060.579] lstrlenW (lpString="edcsvr.exe") returned 10 [0060.579] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0060.580] lstrlenW (lpString="fpos.exe") returned 8 [0060.580] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0060.976] lstrlenW (lpString="isspos.exe") returned 10 [0060.976] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0060.977] lstrlenW (lpString="mxslipstream.exe") returned 16 [0060.978] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0060.979] lstrlenW (lpString="omnipos.exe") returned 11 [0060.979] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0060.980] lstrlenW (lpString="spcwin.exe") returned 10 [0060.980] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0060.981] lstrlenW (lpString="spgagentservice.exe") returned 19 [0060.981] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0060.982] lstrlenW (lpString="utg2.exe") returned 8 [0060.982] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0060.983] lstrlenW (lpString="focuses.exe") returned 11 [0060.983] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0060.984] lstrlenW (lpString="fi fence.exe") returned 12 [0060.984] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0060.985] lstrlenW (lpString="knight.exe") returned 10 [0060.985] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0060.988] lstrlenW (lpString="library.exe") returned 11 [0060.988] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.989] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0060.989] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.990] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0060.990] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.991] lstrlenW (lpString="taskhost.exe") returned 12 [0060.991] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0060.992] lstrlenW (lpString="winhost.exe") returned 11 [0060.992] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0060.992] lstrlenW (lpString="cmd.exe") returned 7 [0060.992] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.993] lstrlenW (lpString="conhost.exe") returned 11 [0060.993] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0060.994] lstrlenW (lpString="vssadmin.exe") returned 12 [0060.994] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0060.995] lstrlenW (lpString="VSSVC.exe") returned 9 [0060.995] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.996] lstrlenW (lpString="svchost.exe") returned 11 [0060.996] Process32NextW (in: hSnapshot=0x1ac, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0060.997] CloseHandle (hObject=0x1ac) returned 1 [0060.997] Sleep (dwMilliseconds=0x1f4) [0063.098] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3510 [0063.119] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0063.196] GetLastError () returned 0xea [0063.196] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3f410a8 [0063.198] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f410a8, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f410a8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0063.199] CloseServiceHandle (hSCObject=0x5a3510) returned 1 [0063.199] lstrlenW (lpString="Appinfo") returned 7 [0063.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0063.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0063.199] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0063.199] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0063.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0063.199] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0063.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0063.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0063.199] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0063.199] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0063.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0063.199] lstrlenW (lpString="AudioSrv") returned 8 [0063.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0063.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0063.200] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0063.200] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0063.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0063.200] lstrlenW (lpString="BFE") returned 3 [0063.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0063.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0063.200] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0063.200] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0063.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0063.200] lstrlenW (lpString="CryptSvc") returned 8 [0063.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0063.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0063.200] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0063.200] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0063.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0063.200] lstrlenW (lpString="CscService") returned 10 [0063.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0063.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0063.200] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0063.200] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0063.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0063.200] lstrlenW (lpString="DcomLaunch") returned 10 [0063.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0063.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0063.200] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0063.200] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0063.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0063.200] lstrlenW (lpString="Dhcp") returned 4 [0063.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0063.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0063.200] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0063.204] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0063.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0063.208] lstrlenW (lpString="Dnscache") returned 8 [0063.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0063.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0063.212] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0063.212] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0063.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0063.212] lstrlenW (lpString="DPS") returned 3 [0063.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0063.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0063.212] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0063.212] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0063.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0063.212] lstrlenW (lpString="eventlog") returned 8 [0063.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0063.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0063.212] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0063.212] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0063.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0063.213] lstrlenW (lpString="EventSystem") returned 11 [0063.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0063.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0063.214] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0063.214] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0063.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0063.214] lstrlenW (lpString="gpsvc") returned 5 [0063.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0063.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0063.214] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0063.214] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0063.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0063.214] lstrlenW (lpString="iphlpsvc") returned 8 [0063.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0063.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0063.214] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0063.214] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0063.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0063.214] lstrlenW (lpString="LanmanServer") returned 12 [0063.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0063.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0063.214] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0063.214] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0063.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0063.214] lstrlenW (lpString="LanmanWorkstation") returned 17 [0063.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0063.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0063.214] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0063.214] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0063.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0063.215] lstrlenW (lpString="lmhosts") returned 7 [0063.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0063.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0063.215] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0063.215] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0063.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0063.215] lstrlenW (lpString="MMCSS") returned 5 [0063.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0063.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0063.215] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0063.215] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0063.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0063.215] lstrlenW (lpString="MpsSvc") returned 6 [0063.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0063.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0063.215] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0063.215] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0063.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0063.215] lstrlenW (lpString="Netman") returned 6 [0063.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0063.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0063.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0063.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0063.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0063.215] lstrlenW (lpString="netprofm") returned 8 [0063.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0063.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0063.216] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0063.216] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0063.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0063.216] lstrlenW (lpString="NlaSvc") returned 6 [0063.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0063.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0063.216] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0063.216] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0063.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0063.216] lstrlenW (lpString="nsi") returned 3 [0063.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0063.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0063.216] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0063.216] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0063.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0063.216] lstrlenW (lpString="PcaSvc") returned 6 [0063.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0063.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0063.216] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0063.216] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0063.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0063.216] lstrlenW (lpString="PlugPlay") returned 8 [0063.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0063.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0063.216] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0063.217] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0063.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0063.217] lstrlenW (lpString="Power") returned 5 [0063.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0063.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0063.217] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0063.217] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0063.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0063.217] lstrlenW (lpString="ProfSvc") returned 7 [0063.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0063.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0063.217] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0063.217] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0063.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0063.217] lstrlenW (lpString="RpcEptMapper") returned 12 [0063.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0063.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0063.217] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0063.217] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0063.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0063.217] lstrlenW (lpString="RpcSs") returned 5 [0063.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0063.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0063.221] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0063.233] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0063.237] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0063.237] lstrlenW (lpString="SamSs") returned 5 [0063.248] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0063.248] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0063.249] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0063.254] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0063.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0063.258] lstrlenW (lpString="Schedule") returned 8 [0063.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0063.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0063.358] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0063.358] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0063.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0063.358] lstrlenW (lpString="SENS") returned 4 [0063.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0063.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0063.359] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0063.359] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0063.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0063.359] lstrlenW (lpString="ShellHWDetection") returned 16 [0063.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0063.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0063.359] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0063.359] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0063.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0063.359] lstrlenW (lpString="Spooler") returned 7 [0063.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0063.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0063.359] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0063.359] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0063.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0063.359] lstrlenW (lpString="swprv") returned 5 [0063.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0063.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0063.359] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0063.359] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0063.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0063.359] lstrlenW (lpString="SysMain") returned 7 [0063.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0063.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0063.360] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0063.360] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0063.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0063.360] lstrlenW (lpString="Themes") returned 6 [0063.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0063.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0063.360] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0063.360] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0063.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0063.360] lstrlenW (lpString="TrkWks") returned 6 [0063.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0063.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0063.360] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0063.360] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0063.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0063.360] lstrlenW (lpString="UxSms") returned 5 [0063.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0063.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0063.360] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0063.360] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0063.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0063.360] lstrlenW (lpString="VSS") returned 3 [0063.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0063.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0063.360] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0063.360] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0063.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0063.361] lstrlenW (lpString="WdiServiceHost") returned 14 [0063.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0063.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0063.361] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0063.361] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0063.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0063.361] lstrlenW (lpString="WdiSystemHost") returned 13 [0063.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0063.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0063.361] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0063.361] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0063.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0063.361] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0063.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0063.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0063.361] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0063.361] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0063.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0063.361] lstrlenW (lpString="Winmgmt") returned 7 [0063.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0063.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0063.361] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0063.361] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0063.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0063.361] lstrlenW (lpString="WPDBusEnum") returned 10 [0063.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0063.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0063.362] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0063.362] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0063.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0063.362] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f410a8 | out: hHeap=0x500000) returned 1 [0063.362] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x224 [0063.372] Process32FirstW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.373] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0063.373] lstrlenW (lpString="System") returned 6 [0063.373] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0063.373] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0063.373] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0063.373] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0063.374] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0063.374] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0063.374] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0063.374] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0063.527] lstrlenW (lpString="smss.exe") returned 8 [0063.527] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0063.527] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0063.527] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0063.527] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0063.527] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0063.527] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0063.527] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0063.527] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.528] lstrlenW (lpString="csrss.exe") returned 9 [0063.528] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0063.528] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0063.528] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0063.528] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0063.528] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0063.528] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0063.528] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0063.528] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0063.529] lstrlenW (lpString="wininit.exe") returned 11 [0063.529] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0063.529] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0063.529] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0063.529] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.530] lstrlenW (lpString="csrss.exe") returned 9 [0063.530] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0063.531] lstrlenW (lpString="winlogon.exe") returned 12 [0063.531] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0063.532] lstrlenW (lpString="services.exe") returned 12 [0063.532] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0063.533] lstrlenW (lpString="lsass.exe") returned 9 [0063.533] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0063.533] lstrlenW (lpString="lsm.exe") returned 7 [0063.533] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.534] lstrlenW (lpString="svchost.exe") returned 11 [0063.534] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.535] lstrlenW (lpString="svchost.exe") returned 11 [0063.535] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.535] lstrlenW (lpString="svchost.exe") returned 11 [0063.536] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.536] lstrlenW (lpString="svchost.exe") returned 11 [0063.536] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.537] lstrlenW (lpString="svchost.exe") returned 11 [0063.537] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0063.538] lstrlenW (lpString="audiodg.exe") returned 11 [0063.538] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.539] lstrlenW (lpString="svchost.exe") returned 11 [0063.539] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.539] lstrlenW (lpString="svchost.exe") returned 11 [0063.539] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0063.540] lstrlenW (lpString="dwm.exe") returned 7 [0063.540] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0063.541] lstrlenW (lpString="explorer.exe") returned 12 [0063.541] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0063.541] lstrlenW (lpString="spoolsv.exe") returned 11 [0063.541] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.542] lstrlenW (lpString="svchost.exe") returned 11 [0063.542] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0063.543] lstrlenW (lpString="taskhost.exe") returned 12 [0063.543] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0063.543] lstrlenW (lpString="taskeng.exe") returned 11 [0063.543] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="prime.exe")) returned 1 [0063.544] lstrlenW (lpString="prime.exe") returned 9 [0063.544] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tops pod solaris.exe")) returned 1 [0063.545] lstrlenW (lpString="tops pod solaris.exe") returned 20 [0063.545] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="financing.exe")) returned 1 [0063.545] lstrlenW (lpString="financing.exe") returned 13 [0063.545] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="father-imports-characteristics.exe")) returned 1 [0063.546] lstrlenW (lpString="father-imports-characteristics.exe") returned 34 [0063.546] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dg hit.exe")) returned 1 [0063.547] lstrlenW (lpString="dg hit.exe") returned 10 [0063.547] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="banners_drops.exe")) returned 1 [0063.548] lstrlenW (lpString="banners_drops.exe") returned 17 [0063.548] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacuum.exe")) returned 1 [0063.549] lstrlenW (lpString="vacuum.exe") returned 10 [0063.549] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="nintendo-executed-assess.exe")) returned 1 [0063.549] lstrlenW (lpString="nintendo-executed-assess.exe") returned 28 [0063.549] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extra-brothers-contacts.exe")) returned 1 [0063.550] lstrlenW (lpString="extra-brothers-contacts.exe") returned 27 [0063.550] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holocauststored.exe")) returned 1 [0063.551] lstrlenW (lpString="holocauststored.exe") returned 19 [0063.551] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mini.exe")) returned 1 [0063.551] lstrlenW (lpString="mini.exe") returned 8 [0063.552] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bi_tiny.exe")) returned 1 [0063.552] lstrlenW (lpString="bi_tiny.exe") returned 11 [0063.552] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mall_drawn.exe")) returned 1 [0063.553] lstrlenW (lpString="mall_drawn.exe") returned 14 [0063.553] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="boring-patterns-feet.exe")) returned 1 [0063.554] lstrlenW (lpString="boring-patterns-feet.exe") returned 24 [0063.554] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="distributed.exe")) returned 1 [0063.554] lstrlenW (lpString="distributed.exe") returned 15 [0063.554] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="discusses-adventures.exe")) returned 1 [0063.555] lstrlenW (lpString="discusses-adventures.exe") returned 24 [0063.555] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fairfieldgrande.exe")) returned 1 [0063.556] lstrlenW (lpString="fairfieldgrande.exe") returned 19 [0063.556] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0063.556] lstrlenW (lpString="3dftp.exe") returned 9 [0063.556] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0063.557] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0063.557] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0063.558] lstrlenW (lpString="alftp.exe") returned 9 [0063.558] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0063.558] lstrlenW (lpString="barca.exe") returned 9 [0063.558] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0063.559] lstrlenW (lpString="bitkinex.exe") returned 12 [0063.559] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0063.560] lstrlenW (lpString="coreftp.exe") returned 11 [0063.560] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0063.560] lstrlenW (lpString="far.exe") returned 7 [0063.560] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0063.561] lstrlenW (lpString="filezilla.exe") returned 13 [0063.561] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0063.562] lstrlenW (lpString="flashfxp.exe") returned 12 [0063.562] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0063.562] lstrlenW (lpString="fling.exe") returned 9 [0063.562] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0063.563] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0063.563] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0063.564] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0063.564] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0063.564] lstrlenW (lpString="icq.exe") returned 7 [0063.564] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0063.565] lstrlenW (lpString="leechftp.exe") returned 12 [0063.565] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0063.565] lstrlenW (lpString="ncftp.exe") returned 9 [0063.565] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0063.566] lstrlenW (lpString="notepad.exe") returned 11 [0063.566] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0063.566] lstrlenW (lpString="operamail.exe") returned 13 [0063.566] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0063.567] lstrlenW (lpString="pidgin.exe") returned 10 [0063.567] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0063.568] lstrlenW (lpString="scriptftp.exe") returned 13 [0063.568] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0063.569] lstrlenW (lpString="skype.exe") returned 9 [0063.569] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0063.570] lstrlenW (lpString="smartftp.exe") returned 12 [0063.570] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0063.570] lstrlenW (lpString="thunderbird.exe") returned 15 [0063.570] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0063.571] lstrlenW (lpString="totalcmd.exe") returned 12 [0063.571] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0063.572] lstrlenW (lpString="trillian.exe") returned 12 [0063.572] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0063.573] lstrlenW (lpString="webdrive.exe") returned 12 [0063.573] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0063.573] lstrlenW (lpString="whatsapp.exe") returned 12 [0063.574] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0063.574] lstrlenW (lpString="winscp.exe") returned 10 [0063.574] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0063.575] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0063.575] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0063.576] lstrlenW (lpString="active-charge.exe") returned 17 [0063.576] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0063.576] lstrlenW (lpString="accupos.exe") returned 11 [0063.577] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0063.577] lstrlenW (lpString="afr38.exe") returned 9 [0063.577] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0063.578] lstrlenW (lpString="aldelo.exe") returned 10 [0063.578] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0063.579] lstrlenW (lpString="ccv_server.exe") returned 14 [0063.579] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0063.579] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0063.579] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0063.580] lstrlenW (lpString="creditservice.exe") returned 17 [0063.580] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0063.581] lstrlenW (lpString="edcsvr.exe") returned 10 [0063.581] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0063.582] lstrlenW (lpString="fpos.exe") returned 8 [0063.582] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0063.582] lstrlenW (lpString="isspos.exe") returned 10 [0063.582] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0063.583] lstrlenW (lpString="mxslipstream.exe") returned 16 [0063.583] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0063.584] lstrlenW (lpString="omnipos.exe") returned 11 [0063.584] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0063.584] lstrlenW (lpString="spcwin.exe") returned 10 [0063.584] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0063.585] lstrlenW (lpString="spgagentservice.exe") returned 19 [0063.585] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0063.586] lstrlenW (lpString="utg2.exe") returned 8 [0063.586] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="focuses.exe")) returned 1 [0063.586] lstrlenW (lpString="focuses.exe") returned 11 [0063.586] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fi fence.exe")) returned 1 [0063.587] lstrlenW (lpString="fi fence.exe") returned 12 [0063.587] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="knight.exe")) returned 1 [0063.588] lstrlenW (lpString="knight.exe") returned 10 [0063.588] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="library.exe")) returned 1 [0063.588] lstrlenW (lpString="library.exe") returned 11 [0063.588] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.589] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0063.589] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.589] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0063.590] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0063.590] lstrlenW (lpString="taskhost.exe") returned 12 [0063.590] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0063.591] lstrlenW (lpString="winhost.exe") returned 11 [0063.591] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0063.593] lstrlenW (lpString="cmd.exe") returned 7 [0063.593] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x568, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0063.593] lstrlenW (lpString="conhost.exe") returned 11 [0063.594] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0063.594] lstrlenW (lpString="vssadmin.exe") returned 12 [0063.594] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0063.595] lstrlenW (lpString="VSSVC.exe") returned 9 [0063.595] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.595] lstrlenW (lpString="svchost.exe") returned 11 [0063.595] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0063.596] lstrlenW (lpString="LogonUI.exe") returned 11 [0063.596] Process32NextW (in: hSnapshot=0x224, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0063.596] CloseHandle (hObject=0x224) returned 1 [0063.596] Sleep (dwMilliseconds=0x1f4) [0064.328] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a3510 [0064.329] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 0 [0064.329] GetLastError () returned 0xea [0064.329] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c6) returned 0x3f410a8 [0064.329] EnumServicesStatusExW (in: hSCManager=0x5a3510, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f410a8, cbBufSize=0x12c6, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f410a8, pcbBytesNeeded=0x6fff44, lpServicesReturned=0x6fff5c, lpResumeHandle=0x0) returned 1 [0064.330] CloseServiceHandle (hSCObject=0x5a3510) returned 1 [0064.330] lstrlenW (lpString="Appinfo") returned 7 [0064.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0064.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0064.331] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0064.331] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0064.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0064.331] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0064.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0064.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0064.331] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0064.331] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0064.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0064.331] lstrlenW (lpString="AudioSrv") returned 8 [0064.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0064.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0064.332] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0064.332] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0064.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0064.332] lstrlenW (lpString="BFE") returned 3 [0064.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0064.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0064.332] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0064.332] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0064.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0064.332] lstrlenW (lpString="CryptSvc") returned 8 [0064.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0064.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0064.332] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0064.332] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0064.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0064.332] lstrlenW (lpString="CscService") returned 10 [0064.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0064.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0064.332] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0064.332] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0064.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0064.332] lstrlenW (lpString="DcomLaunch") returned 10 [0064.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0064.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0064.332] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0064.332] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0064.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0064.332] lstrlenW (lpString="Dhcp") returned 4 [0064.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0064.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0064.333] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0064.333] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0064.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0064.333] lstrlenW (lpString="Dnscache") returned 8 [0064.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0064.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0064.333] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0064.333] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0064.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0064.333] lstrlenW (lpString="DPS") returned 3 [0064.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0064.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0064.333] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0064.333] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0064.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0064.333] lstrlenW (lpString="eventlog") returned 8 [0064.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0064.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0064.333] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0064.333] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0064.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0064.333] lstrlenW (lpString="EventSystem") returned 11 [0064.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0064.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0064.334] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0064.334] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0064.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0064.334] lstrlenW (lpString="gpsvc") returned 5 [0064.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0064.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0064.334] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0064.334] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0064.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0064.334] lstrlenW (lpString="iphlpsvc") returned 8 [0064.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0064.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0064.334] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0064.334] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0064.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0064.334] lstrlenW (lpString="LanmanServer") returned 12 [0064.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0064.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0064.334] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0064.334] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0064.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0064.334] lstrlenW (lpString="LanmanWorkstation") returned 17 [0064.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0064.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0064.334] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0064.334] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0064.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0064.334] lstrlenW (lpString="lmhosts") returned 7 [0064.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0064.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0064.335] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0064.335] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0064.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0064.335] lstrlenW (lpString="MMCSS") returned 5 [0064.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0064.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0064.335] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0064.335] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0064.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0064.335] lstrlenW (lpString="MpsSvc") returned 6 [0064.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0064.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0064.335] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0064.335] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0064.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0064.335] lstrlenW (lpString="Netman") returned 6 [0064.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0064.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0064.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0064.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0064.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0064.335] lstrlenW (lpString="netprofm") returned 8 [0064.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0064.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0064.335] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0064.335] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0064.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0064.336] lstrlenW (lpString="NlaSvc") returned 6 [0064.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0064.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0064.336] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0064.336] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0064.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0064.336] lstrlenW (lpString="nsi") returned 3 [0064.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0064.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0064.336] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0064.336] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0064.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0064.336] lstrlenW (lpString="PcaSvc") returned 6 [0064.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0064.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0064.336] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0064.336] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0064.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0064.336] lstrlenW (lpString="PlugPlay") returned 8 [0064.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0064.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0064.336] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0064.336] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0064.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0064.336] lstrlenW (lpString="Power") returned 5 [0064.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0064.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0064.337] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0064.337] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0064.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0064.337] lstrlenW (lpString="ProfSvc") returned 7 [0064.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0064.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0064.337] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0064.337] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0064.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0064.337] lstrlenW (lpString="RpcEptMapper") returned 12 [0064.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0064.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0064.337] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0064.337] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0064.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0064.337] lstrlenW (lpString="RpcSs") returned 5 [0064.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0064.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0064.337] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0064.337] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0064.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0064.337] lstrlenW (lpString="SamSs") returned 5 [0064.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0064.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0064.337] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0064.337] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0064.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0064.337] lstrlenW (lpString="Schedule") returned 8 [0064.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0064.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0064.338] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0064.338] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0064.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0064.338] lstrlenW (lpString="SENS") returned 4 [0064.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0064.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0064.338] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0064.338] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0064.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0064.338] lstrlenW (lpString="ShellHWDetection") returned 16 [0064.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0064.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0064.338] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0064.338] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0064.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0064.338] lstrlenW (lpString="Spooler") returned 7 [0064.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0064.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0064.338] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0064.338] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0064.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0064.338] lstrlenW (lpString="swprv") returned 5 [0064.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0064.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0064.338] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0064.339] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0064.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0064.339] lstrlenW (lpString="SysMain") returned 7 [0064.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0064.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0064.339] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0064.339] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0064.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0064.339] lstrlenW (lpString="Themes") returned 6 [0064.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0064.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0064.339] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0064.339] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0064.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0064.339] lstrlenW (lpString="TrkWks") returned 6 [0064.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0064.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0064.339] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0064.339] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0064.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0064.339] lstrlenW (lpString="UxSms") returned 5 [0064.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0064.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0064.339] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0064.339] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0064.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0064.339] lstrlenW (lpString="VSS") returned 3 [0064.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0064.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0064.340] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0064.340] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0064.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0064.340] lstrlenW (lpString="WdiServiceHost") returned 14 [0064.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0064.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0064.340] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0064.340] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0064.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0064.340] lstrlenW (lpString="WdiSystemHost") returned 13 [0064.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0064.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0064.340] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0064.340] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0064.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0064.340] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0064.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0064.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0064.340] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0064.340] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0064.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0064.340] lstrlenW (lpString="Winmgmt") returned 7 [0064.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0064.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0064.340] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0064.341] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0064.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0064.341] lstrlenW (lpString="WPDBusEnum") returned 10 [0064.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0064.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0064.341] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0064.341] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0064.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0064.341] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f410a8 | out: hHeap=0x500000) returned 1 [0064.341] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c4 [0064.348] Process32FirstW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.349] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0064.349] lstrlenW (lpString="System") returned 6 [0064.349] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0064.350] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0064.350] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0064.350] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0064.350] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0064.350] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0064.350] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0064.350] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0064.351] lstrlenW (lpString="smss.exe") returned 8 [0064.351] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0064.351] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0064.351] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0064.351] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0064.351] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0064.351] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0064.351] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0064.351] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.352] lstrlenW (lpString="csrss.exe") returned 9 [0064.352] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0064.352] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0064.352] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0064.352] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0064.352] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0064.352] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0064.352] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0064.352] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0064.353] lstrlenW (lpString="wininit.exe") returned 11 [0064.353] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0064.353] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0064.353] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0064.353] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.354] lstrlenW (lpString="csrss.exe") returned 9 [0064.354] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0064.354] lstrlenW (lpString="winlogon.exe") returned 12 [0064.355] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0064.355] lstrlenW (lpString="services.exe") returned 12 [0064.355] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0064.356] lstrlenW (lpString="lsass.exe") returned 9 [0064.356] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0064.357] lstrlenW (lpString="lsm.exe") returned 7 [0064.357] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.358] lstrlenW (lpString="svchost.exe") returned 11 [0064.358] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.359] lstrlenW (lpString="svchost.exe") returned 11 [0064.359] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.359] lstrlenW (lpString="svchost.exe") returned 11 [0064.359] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.360] lstrlenW (lpString="svchost.exe") returned 11 [0064.360] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.361] lstrlenW (lpString="svchost.exe") returned 11 [0064.361] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0064.361] lstrlenW (lpString="audiodg.exe") returned 11 [0064.361] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.362] lstrlenW (lpString="svchost.exe") returned 11 [0064.362] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.363] lstrlenW (lpString="svchost.exe") returned 11 [0064.363] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0064.363] lstrlenW (lpString="dwm.exe") returned 7 [0064.363] Process32NextW (in: hSnapshot=0x1c4, lppe=0x6ffd34 | out: lppe=0x6ffd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0064.364] lstrlenW (lpString="explorer.exe") returned 12 [0064.364] Process32NextW (hSnapshot=0x1c4, lppe=0x6ffd34) Thread: id = 5 os_tid = 0x25c [0034.987] WaitForSingleObject (hHandle=0x18fde4, dwMilliseconds=0xffffffff) returned 0xffffffff [0034.987] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x534a38 | out: hHeap=0x500000) returned 1 Thread: id = 6 os_tid = 0x51c [0034.988] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x534a38 [0034.988] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x534a38, Size=0x20) returned 0x535b40 [0034.988] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x535b40, Size=0x40) returned 0x536ba8 [0034.988] GetLogicalDrives () returned 0x4 [0034.989] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x58d470 [0034.989] GetComputerNameW (in: lpBuffer=0x58d474, nSize=0x246ff6c | out: lpBuffer="XDUWTFONO", nSize=0x246ff6c) returned 1 [0034.990] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1000) returned 0x5530a8 [0034.990] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x246ff3c | out: lphEnum=0x246ff3c*=0x536148) returned 0x0 [0034.990] WNetEnumResourceW (in: hEnum=0x536148, lpcCount=0x246ff38, lpBuffer=0x5530a8, lpBufferSize=0x246ff40 | out: lpcCount=0x246ff38, lpBuffer=0x5530a8, lpBufferSize=0x246ff40) returned 0x103 [0034.990] WNetCloseEnum (hEnum=0x536148) returned 0x0 [0034.990] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x246ff3c | out: lphEnum=0x246ff3c*=0x5544b0) returned 0x0 [0037.816] WNetEnumResourceW (in: hEnum=0x5544b0, lpcCount=0x246ff38, lpBuffer=0x5530a8, lpBufferSize=0x246ff40 | out: lpcCount=0x246ff38, lpBuffer=0x5530a8, lpBufferSize=0x246ff40) returned 0x0 [0037.816] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1000) returned 0x38120d0 [0037.816] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5530a8, lphEnum=0x246ff10 | out: lphEnum=0x246ff10*=0x536368) returned 0x0 [0037.842] WNetEnumResourceW (in: hEnum=0x536368, lpcCount=0x246ff0c, lpBuffer=0x38120d0, lpBufferSize=0x246ff14 | out: lpcCount=0x246ff0c, lpBuffer=0x38120d0, lpBufferSize=0x246ff14) returned 0x103 [0037.842] WNetCloseEnum (hEnum=0x536368) returned 0x0 [0037.842] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1000) returned 0x3816120 [0037.842] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5530c8, lphEnum=0x246ff10 | out: lphEnum=0x246ff10*=0x0) returned 0x4b8 [0059.310] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1000) returned 0x3f16100 [0059.310] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5530e8, lphEnum=0x246ff10 | out: lphEnum=0x246ff10*=0x0) returned 0x4c6 [0059.319] WNetEnumResourceW (in: hEnum=0x5544b0, lpcCount=0x246ff38, lpBuffer=0x5530a8, lpBufferSize=0x246ff40 | out: lpcCount=0x246ff38, lpBuffer=0x5530a8, lpBufferSize=0x246ff40) returned 0x103 [0059.320] WNetCloseEnum (hEnum=0x5544b0) returned 0x0 [0059.320] GetLogicalDrives () returned 0x4 [0059.320] Sleep (dwMilliseconds=0x64) [0059.586] GetLogicalDrives () returned 0x4 [0059.586] Sleep (dwMilliseconds=0x64) [0060.168] GetLogicalDrives () returned 0x4 [0060.168] Sleep (dwMilliseconds=0x64) [0060.447] GetLogicalDrives () returned 0x4 [0060.447] Sleep (dwMilliseconds=0x64) [0060.975] GetLogicalDrives () returned 0x4 [0060.976] Sleep (dwMilliseconds=0x64) [0062.386] GetLogicalDrives () returned 0x4 [0062.386] Sleep (dwMilliseconds=0x64) [0063.436] GetLogicalDrives () returned 0x4 [0063.437] Sleep (dwMilliseconds=0x64) [0063.742] GetLogicalDrives () returned 0x4 [0063.742] Sleep (dwMilliseconds=0x64) [0064.124] GetLogicalDrives () returned 0x4 [0064.124] Sleep (dwMilliseconds=0x64) [0064.367] GetLogicalDrives () returned 0x4 [0064.367] Sleep (dwMilliseconds=0x64) Thread: id = 7 os_tid = 0x518 [0036.114] GetTickCount () returned 0x11437b4 [0036.114] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x24) returned 0x54c428 [0036.114] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x54c428, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x120 [0036.115] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x54c428, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0036.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x54c428, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x12c [0036.117] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x54c428, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0036.117] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a6e8 [0036.117] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a6e8, Size=0x20) returned 0x535d20 [0036.117] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a6e8 [0036.117] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a6e8, Size=0x20) returned 0x535d48 [0036.118] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0036.118] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0036.118] Wow64DisableWow64FsRedirection (in: OldValue=0x256ff84 | out: OldValue=0x256ff84*=0x0) returned 1 [0036.118] lstrlenW (lpString="kernel32.dll") returned 12 [0036.118] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535d20 | out: hHeap=0x500000) returned 1 [0036.118] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0036.118] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535d48 | out: hHeap=0x500000) returned 1 [0036.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x53b430, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0036.119] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.480] GetTickCount () returned 0x1143821 [0036.480] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.722] GetTickCount () returned 0x114388e [0036.722] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.956] GetTickCount () returned 0x11438fb [0036.956] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.151] GetTickCount () returned 0x11439c6 [0037.151] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.327] GetTickCount () returned 0x1143a62 [0037.327] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.771] GetTickCount () returned 0x1143adf [0037.771] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.879] GetTickCount () returned 0x1143b4c [0037.879] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.990] GetTickCount () returned 0x1143bb9 [0037.990] GetTickCount () returned 0x1143bb9 [0037.990] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0038.307] GetTickCount () returned 0x1143d01 [0038.307] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0038.806] GetTickCount () returned 0x1143e87 [0038.806] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0039.141] GetTickCount () returned 0x1143fbf [0039.141] GetTickCount () returned 0x1143fbf [0039.141] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0039.569] GetTickCount () returned 0x1144107 [0039.569] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.463] GetTickCount () returned 0x114421f [0040.463] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.655] GetTickCount () returned 0x11442db [0040.655] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.868] GetTickCount () returned 0x11443b5 [0040.868] GetTickCount () returned 0x11443b5 [0040.868] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0041.426] GetTickCount () returned 0x11445b8 [0041.426] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0041.800] GetTickCount () returned 0x114470f [0041.800] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0042.614] GetTickCount () returned 0x1144a1b [0042.614] GetTickCount () returned 0x1144a1b [0042.614] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0043.110] GetTickCount () returned 0x1144bc0 [0043.110] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0043.403] GetTickCount () returned 0x1144cd9 [0043.403] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0043.609] GetTickCount () returned 0x1144db3 [0043.609] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0043.905] GetTickCount () returned 0x1144e9d [0043.905] GetTickCount () returned 0x1144e9d [0043.905] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0044.235] GetTickCount () returned 0x1144fc6 [0044.235] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0044.489] GetTickCount () returned 0x11450bf [0044.489] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0044.846] GetTickCount () returned 0x1145226 [0044.846] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.221] GetTickCount () returned 0x114537d [0045.221] GetTickCount () returned 0x114537d [0045.221] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.561] GetTickCount () returned 0x11454d5 [0045.561] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.918] GetTickCount () returned 0x114563b [0045.918] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.233] GetTickCount () returned 0x1145773 [0046.233] GetTickCount () returned 0x1145773 [0046.233] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.700] GetTickCount () returned 0x1145947 [0046.700] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.050] GetTickCount () returned 0x1145a51 [0047.050] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.253] GetTickCount () returned 0x1145b1b [0047.253] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.509] GetTickCount () returned 0x1145c25 [0047.509] GetTickCount () returned 0x1145c25 [0047.509] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.979] GetTickCount () returned 0x1145dd9 [0047.979] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.290] GetTickCount () returned 0x1145e75 [0048.290] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.039] GetTickCount () returned 0x114600b [0049.039] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.360] GetTickCount () returned 0x1146143 [0049.360] GetTickCount () returned 0x1146143 [0049.360] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.049] GetTickCount () returned 0x1146346 [0050.049] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.225] GetTickCount () returned 0x1146401 [0050.225] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.335] GetTickCount () returned 0x114646e [0050.335] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.479] GetTickCount () returned 0x11464fb [0050.479] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.810] GetTickCount () returned 0x1146642 [0050.810] GetTickCount () returned 0x1146642 [0050.810] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.997] GetTickCount () returned 0x11466fd [0050.997] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.280] GetTickCount () returned 0x1146816 [0051.280] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.690] GetTickCount () returned 0x11469bb [0051.690] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.016] GetTickCount () returned 0x1146af3 [0052.016] GetTickCount () returned 0x1146af3 [0052.016] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.337] GetTickCount () returned 0x1146c3b [0052.337] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.620] GetTickCount () returned 0x1146d54 [0052.620] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.798] GetTickCount () returned 0x1146e0f [0052.798] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.389] GetTickCount () returned 0x1147050 [0053.389] GetTickCount () returned 0x1147050 [0053.389] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.793] GetTickCount () returned 0x11471e6 [0053.793] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0054.897] GetTickCount () returned 0x1147639 [0054.897] GetTickCount () returned 0x1147639 [0054.897] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0055.299] GetTickCount () returned 0x11477cf [0055.299] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0055.545] GetTickCount () returned 0x11478c9 [0055.545] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0055.910] GetTickCount () returned 0x1147a2f [0055.910] GetTickCount () returned 0x1147a2f [0055.910] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.438] GetTickCount () returned 0x1147c42 [0056.438] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.683] GetTickCount () returned 0x1147d3b [0056.683] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.644] GetTickCount () returned 0x11480f3 [0057.644] GetTickCount () returned 0x11480f3 [0057.644] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.901] GetTickCount () returned 0x11481fc [0057.901] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.066] GetTickCount () returned 0x1148298 [0058.066] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.164] GetTickCount () returned 0x1148305 [0058.164] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.273] GetTickCount () returned 0x1148373 [0058.273] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.382] GetTickCount () returned 0x11483e0 [0058.382] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.491] GetTickCount () returned 0x114844d [0058.491] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.600] GetTickCount () returned 0x11484ba [0058.600] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.710] GetTickCount () returned 0x1148527 [0058.710] GetTickCount () returned 0x1148527 [0058.710] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.819] GetTickCount () returned 0x1148595 [0058.819] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0059.054] GetTickCount () returned 0x114867f [0059.055] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0059.264] GetTickCount () returned 0x1148749 [0059.264] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0059.455] GetTickCount () returned 0x1148805 [0059.455] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0059.604] GetTickCount () returned 0x11488a1 [0059.604] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0060.169] GetTickCount () returned 0x1148ad2 [0060.169] GetTickCount () returned 0x1148ad2 [0060.169] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0060.447] GetTickCount () returned 0x1148beb [0060.447] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0060.976] GetTickCount () returned 0x1148dfd [0060.976] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0062.387] GetTickCount () returned 0x114932c [0062.387] GetTickCount () returned 0x114932c [0062.387] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0063.437] GetTickCount () returned 0x1149741 [0063.437] GetTickCount () returned 0x1149741 [0063.437] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0063.742] GetTickCount () returned 0x114980c [0063.742] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0064.124] GetTickCount () returned 0x1149992 [0064.124] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0064.367] GetTickCount () returned 0x1149a7c [0064.367] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) Thread: id = 8 os_tid = 0x5e0 [0036.646] GetTickCount () returned 0x1143840 [0036.646] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x24) returned 0x54b588 [0036.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x54b588, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0036.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x54b588, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0036.652] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x54b588, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0036.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x54b588, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x14c [0036.659] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a7d8 [0036.660] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a7d8, Size=0x20) returned 0x5a34c0 [0036.660] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a7d8 [0036.660] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a7d8, Size=0x20) returned 0x5a34e8 [0036.660] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0036.660] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0036.660] Wow64DisableWow64FsRedirection (in: OldValue=0x1faff84 | out: OldValue=0x1faff84*=0x0) returned 1 [0036.660] lstrlenW (lpString="kernel32.dll") returned 12 [0036.660] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34c0 | out: hHeap=0x500000) returned 1 [0036.660] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0036.660] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34e8 | out: hHeap=0x500000) returned 1 [0036.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x55d440, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x150 [0036.686] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0036.792] GetTickCount () returned 0x11438dc [0036.792] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.056] GetTickCount () returned 0x1143959 [0037.056] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.153] GetTickCount () returned 0x11439c6 [0037.153] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.324] GetTickCount () returned 0x1143a62 [0037.324] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.771] GetTickCount () returned 0x1143adf [0037.771] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.879] GetTickCount () returned 0x1143b4c [0037.879] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.990] GetTickCount () returned 0x1143bb9 [0037.990] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0038.307] GetTickCount () returned 0x1143d01 [0038.307] GetTickCount () returned 0x1143d01 [0038.307] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0038.805] GetTickCount () returned 0x1143e87 [0038.805] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0039.134] GetTickCount () returned 0x1143fbf [0039.134] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0039.569] GetTickCount () returned 0x1144107 [0039.569] GetTickCount () returned 0x1144107 [0039.569] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.463] GetTickCount () returned 0x114421f [0040.463] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.655] GetTickCount () returned 0x11442db [0040.655] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.867] GetTickCount () returned 0x11443b5 [0040.867] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0041.425] GetTickCount () returned 0x11445b8 [0041.425] GetTickCount () returned 0x11445b8 [0041.425] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0041.799] GetTickCount () returned 0x114470f [0041.799] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0042.613] GetTickCount () returned 0x1144a1b [0042.614] GetTickCount () returned 0x1144a1b [0042.614] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0043.110] GetTickCount () returned 0x1144bc0 [0043.110] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0043.403] GetTickCount () returned 0x1144cd9 [0043.403] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0043.609] GetTickCount () returned 0x1144db3 [0043.609] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0043.905] GetTickCount () returned 0x1144e9d [0043.905] GetTickCount () returned 0x1144e9d [0043.905] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0044.235] GetTickCount () returned 0x1144fc6 [0044.235] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0044.489] GetTickCount () returned 0x11450bf [0044.489] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0044.846] GetTickCount () returned 0x1145226 [0044.846] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0045.221] GetTickCount () returned 0x114537d [0045.221] GetTickCount () returned 0x114537d [0045.221] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0045.561] GetTickCount () returned 0x11454d5 [0045.561] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0045.918] GetTickCount () returned 0x114563b [0045.918] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0046.233] GetTickCount () returned 0x1145773 [0046.233] GetTickCount () returned 0x1145773 [0046.233] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0046.700] GetTickCount () returned 0x1145947 [0046.700] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.050] GetTickCount () returned 0x1145a51 [0047.050] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.253] GetTickCount () returned 0x1145b1b [0047.253] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.509] GetTickCount () returned 0x1145c25 [0047.509] GetTickCount () returned 0x1145c25 [0047.509] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.979] GetTickCount () returned 0x1145dd9 [0047.979] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.290] GetTickCount () returned 0x1145e75 [0048.290] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.039] GetTickCount () returned 0x114600b [0049.039] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.360] GetTickCount () returned 0x1146143 [0049.360] GetTickCount () returned 0x1146143 [0049.360] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.049] GetTickCount () returned 0x1146346 [0050.049] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.225] GetTickCount () returned 0x1146401 [0050.225] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.335] GetTickCount () returned 0x114646e [0050.335] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.479] GetTickCount () returned 0x11464fb [0050.479] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.810] GetTickCount () returned 0x1146642 [0050.810] GetTickCount () returned 0x1146642 [0050.810] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.997] GetTickCount () returned 0x11466fd [0050.997] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.280] GetTickCount () returned 0x1146816 [0051.280] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.690] GetTickCount () returned 0x11469bb [0051.690] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.016] GetTickCount () returned 0x1146af3 [0052.016] GetTickCount () returned 0x1146af3 [0052.016] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.337] GetTickCount () returned 0x1146c3b [0052.337] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.620] GetTickCount () returned 0x1146d54 [0052.620] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.798] GetTickCount () returned 0x1146e0f [0052.798] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.351] GetTickCount () returned 0x1147031 [0053.351] GetTickCount () returned 0x1147031 [0053.382] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.792] GetTickCount () returned 0x11471e6 [0053.793] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0054.898] GetTickCount () returned 0x1147639 [0054.898] GetTickCount () returned 0x1147639 [0054.898] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0055.299] GetTickCount () returned 0x11477cf [0055.300] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0055.545] GetTickCount () returned 0x11478c9 [0055.545] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0055.911] GetTickCount () returned 0x1147a2f [0055.911] GetTickCount () returned 0x1147a2f [0055.911] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.438] GetTickCount () returned 0x1147c42 [0056.438] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.683] GetTickCount () returned 0x1147d3b [0056.683] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.644] GetTickCount () returned 0x11480f3 [0057.644] GetTickCount () returned 0x11480f3 [0057.644] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.902] GetTickCount () returned 0x11481fc [0057.902] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.066] GetTickCount () returned 0x1148298 [0058.066] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.164] GetTickCount () returned 0x1148305 [0058.164] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.273] GetTickCount () returned 0x1148373 [0058.273] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.382] GetTickCount () returned 0x11483e0 [0058.382] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.491] GetTickCount () returned 0x114844d [0058.491] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.601] GetTickCount () returned 0x11484ba [0058.601] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.710] GetTickCount () returned 0x1148527 [0058.710] GetTickCount () returned 0x1148527 [0058.710] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.819] GetTickCount () returned 0x1148595 [0058.819] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0059.055] GetTickCount () returned 0x114867f [0059.055] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0059.264] GetTickCount () returned 0x1148749 [0059.264] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0059.455] GetTickCount () returned 0x1148805 [0059.455] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0059.604] GetTickCount () returned 0x11488a1 [0059.604] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0060.169] GetTickCount () returned 0x1148ad2 [0060.169] GetTickCount () returned 0x1148ad2 [0060.169] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0060.447] GetTickCount () returned 0x1148beb [0060.447] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0060.976] GetTickCount () returned 0x1148dfd [0060.976] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0062.387] GetTickCount () returned 0x114932c [0062.387] GetTickCount () returned 0x114932c [0062.387] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0063.437] GetTickCount () returned 0x1149741 [0063.437] GetTickCount () returned 0x1149741 [0063.437] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0063.742] GetTickCount () returned 0x114980c [0063.742] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0064.124] GetTickCount () returned 0x1149992 [0064.124] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0064.367] GetTickCount () returned 0x1149a7c [0064.367] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) Thread: id = 9 os_tid = 0x360 [0036.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x56d460 [0036.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x57d468 [0036.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a760 [0036.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x53a380 [0036.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a718 [0036.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x3030020 [0036.648] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a730 [0036.648] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a730, Size=0x20) returned 0x5a34c0 [0036.648] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a730 [0036.648] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a730, Size=0x20) returned 0x5a34e8 [0036.648] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0036.648] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0036.648] Wow64DisableWow64FsRedirection (in: OldValue=0x2a6ff58 | out: OldValue=0x2a6ff58*=0x0) returned 1 [0036.648] lstrlenW (lpString="kernel32.dll") returned 12 [0036.648] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34c0 | out: hHeap=0x500000) returned 1 [0036.648] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0036.649] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34e8 | out: hHeap=0x500000) returned 1 [0036.649] Sleep (dwMilliseconds=0x64) [0036.746] lstrcmpiW (lpString1=".ini", lpString2=".NcOv") returned -1 [0036.746] lstrlenW (lpString="desktop.ini") returned 11 [0036.746] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0036.746] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=129) returned 1 [0036.746] CloseHandle (hObject=0x164) returned 1 [0036.746] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0036.746] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0036.746] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0036.747] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.747] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.747] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0036.747] GetLastError () returned 0x0 [0036.747] ReadFile (in: hFile=0x164, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x81, lpOverlapped=0x0) returned 1 [0036.760] WriteFile (in: hFile=0x168, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x90, lpOverlapped=0x0) returned 1 [0036.761] ReadFile (in: hFile=0x164, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.761] WriteFile (in: hFile=0x168, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0036.762] SetEndOfFile (hFile=0x168) returned 1 [0036.762] CloseHandle (hObject=0x168) returned 1 [0036.763] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.763] SetEndOfFile (hFile=0x164) returned 1 [0036.763] CloseHandle (hObject=0x164) returned 1 [0036.763] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x26) returned 1 [0036.764] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0036.764] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.764] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.764] lstrlenW (lpString=".doc") returned 4 [0036.764] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0036.764] lstrlenW (lpString=".docx") returned 5 [0036.764] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0036.764] lstrlenW (lpString=".pdf") returned 4 [0036.764] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0036.764] lstrlenW (lpString=".xls") returned 4 [0036.764] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0036.764] lstrlenW (lpString=".xlsx") returned 5 [0036.764] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0036.764] lstrlenW (lpString=".ppt") returned 4 [0036.764] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0036.764] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.764] lstrlenW (lpString=".zip") returned 4 [0036.764] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0036.764] lstrlenW (lpString=".rar") returned 4 [0036.764] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0036.764] lstrlenW (lpString=".bz2") returned 4 [0036.765] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0036.765] lstrlenW (lpString=".7z") returned 3 [0036.765] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0036.765] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.765] lstrlenW (lpString=".dbf") returned 4 [0036.765] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0036.765] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.765] lstrlenW (lpString=".1cd") returned 4 [0036.765] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0036.765] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.765] lstrlenW (lpString=".jpg") returned 4 [0036.765] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0036.765] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.765] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.765] lstrlenW (lpString=".doc") returned 4 [0036.765] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0036.765] lstrlenW (lpString=".docx") returned 5 [0036.765] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0036.765] lstrlenW (lpString=".pdf") returned 4 [0036.765] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0036.765] lstrlenW (lpString=".xls") returned 4 [0036.765] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0036.765] lstrlenW (lpString=".xlsx") returned 5 [0036.765] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0036.765] lstrlenW (lpString=".ppt") returned 4 [0036.765] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0036.765] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.765] lstrlenW (lpString=".zip") returned 4 [0036.765] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0036.765] lstrlenW (lpString=".rar") returned 4 [0036.765] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0036.765] lstrlenW (lpString=".bz2") returned 4 [0036.765] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0036.765] lstrlenW (lpString=".7z") returned 3 [0036.765] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0036.765] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.765] lstrlenW (lpString=".dbf") returned 4 [0036.765] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0036.766] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.766] lstrlenW (lpString=".1cd") returned 4 [0036.766] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0036.766] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.766] lstrlenW (lpString=".jpg") returned 4 [0036.766] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0036.766] lstrcmpiW (lpString1=".LOG", lpString2=".NcOv") returned -1 [0036.766] lstrlenW (lpString="BCD.LOG") returned 7 [0036.766] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.766] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.766] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.766] lstrlenW (lpString=".doc") returned 4 [0036.766] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0036.766] lstrlenW (lpString=".docx") returned 5 [0036.766] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0036.766] lstrlenW (lpString=".pdf") returned 4 [0036.766] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0036.766] lstrlenW (lpString=".xls") returned 4 [0036.766] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0036.766] lstrlenW (lpString=".xlsx") returned 5 [0036.766] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0036.766] lstrlenW (lpString=".ppt") returned 4 [0036.766] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0036.766] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.766] lstrlenW (lpString=".zip") returned 4 [0036.766] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0036.766] lstrlenW (lpString=".rar") returned 4 [0036.766] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0036.766] lstrlenW (lpString=".bz2") returned 4 [0036.766] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0036.766] lstrlenW (lpString=".7z") returned 3 [0036.766] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0036.767] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.767] lstrlenW (lpString=".dbf") returned 4 [0036.767] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0036.767] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.767] lstrlenW (lpString=".1cd") returned 4 [0036.767] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0036.767] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.767] lstrlenW (lpString=".jpg") returned 4 [0036.767] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0036.767] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.767] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.767] lstrlenW (lpString=".doc") returned 4 [0036.767] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0036.767] lstrlenW (lpString=".docx") returned 5 [0036.767] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0036.767] lstrlenW (lpString=".pdf") returned 4 [0036.767] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0036.767] lstrlenW (lpString=".xls") returned 4 [0036.767] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0036.767] lstrlenW (lpString=".xlsx") returned 5 [0036.767] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0036.767] lstrlenW (lpString=".ppt") returned 4 [0036.767] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0036.767] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.767] lstrlenW (lpString=".zip") returned 4 [0036.767] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0036.767] lstrlenW (lpString=".rar") returned 4 [0036.767] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0036.767] lstrlenW (lpString=".bz2") returned 4 [0036.767] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0036.767] lstrlenW (lpString=".7z") returned 3 [0036.767] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0036.767] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.767] lstrlenW (lpString=".dbf") returned 4 [0036.767] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0036.767] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.767] lstrlenW (lpString=".1cd") returned 4 [0036.768] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0036.768] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0036.768] lstrlenW (lpString=".jpg") returned 4 [0036.768] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0036.768] lstrcmpiW (lpString1=".DAT", lpString2=".NcOv") returned -1 [0036.768] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0036.768] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0036.768] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=65536) returned 1 [0036.768] CloseHandle (hObject=0x164) returned 1 [0036.768] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0036.768] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0036.768] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0036.768] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.769] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.769] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0036.769] GetLastError () returned 0x0 [0036.769] ReadFile (in: hFile=0x164, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x10000, lpOverlapped=0x0) returned 1 [0036.771] WriteFile (in: hFile=0x168, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x10010, lpOverlapped=0x0) returned 1 [0036.773] ReadFile (in: hFile=0x164, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.773] WriteFile (in: hFile=0x168, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0036.773] SetEndOfFile (hFile=0x168) returned 1 [0036.774] CloseHandle (hObject=0x168) returned 1 [0036.775] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.775] SetEndOfFile (hFile=0x164) returned 1 [0036.777] CloseHandle (hObject=0x164) returned 1 [0036.777] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x26) returned 1 [0036.777] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0036.777] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.777] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.777] lstrlenW (lpString=".doc") returned 4 [0036.777] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0036.777] lstrlenW (lpString=".docx") returned 5 [0036.777] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0036.777] lstrlenW (lpString=".pdf") returned 4 [0036.778] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString=".xls") returned 4 [0036.778] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString=".xlsx") returned 5 [0036.778] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0036.778] lstrlenW (lpString=".ppt") returned 4 [0036.778] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.778] lstrlenW (lpString=".zip") returned 4 [0036.778] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString=".rar") returned 4 [0036.778] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString=".bz2") returned 4 [0036.778] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0036.778] lstrlenW (lpString=".7z") returned 3 [0036.778] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0036.778] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.778] lstrlenW (lpString=".dbf") returned 4 [0036.778] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.778] lstrlenW (lpString=".1cd") returned 4 [0036.778] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0036.778] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.778] lstrlenW (lpString=".jpg") returned 4 [0036.778] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.778] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.778] lstrlenW (lpString=".doc") returned 4 [0036.778] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString=".docx") returned 5 [0036.778] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0036.778] lstrlenW (lpString=".pdf") returned 4 [0036.778] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString=".xls") returned 4 [0036.778] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0036.778] lstrlenW (lpString=".xlsx") returned 5 [0036.778] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0036.778] lstrlenW (lpString=".ppt") returned 4 [0036.779] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0036.779] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.779] lstrlenW (lpString=".zip") returned 4 [0036.779] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0036.779] lstrlenW (lpString=".rar") returned 4 [0036.779] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0036.779] lstrlenW (lpString=".bz2") returned 4 [0036.779] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0036.779] lstrlenW (lpString=".7z") returned 3 [0036.779] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0036.779] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.779] lstrlenW (lpString=".dbf") returned 4 [0036.779] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0036.779] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.779] lstrlenW (lpString=".1cd") returned 4 [0036.779] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0036.779] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0036.779] lstrlenW (lpString=".jpg") returned 4 [0036.779] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0036.779] lstrcmpiW (lpString1=".BAK", lpString2=".NcOv") returned -1 [0036.779] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0036.779] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0036.785] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=8192) returned 1 [0036.785] CloseHandle (hObject=0x168) returned 1 [0036.785] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0036.785] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\bootsect.bak.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0036.785] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0036.785] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0036.785] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.785] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.785] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\bootsect.bak.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0036.793] GetLastError () returned 0x0 [0036.793] ReadFile (in: hFile=0x168, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x2000, lpOverlapped=0x0) returned 1 [0036.935] WriteFile (in: hFile=0x15c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x2010, lpOverlapped=0x0) returned 1 [0036.936] ReadFile (in: hFile=0x168, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.936] WriteFile (in: hFile=0x15c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0036.936] SetEndOfFile (hFile=0x15c) returned 1 [0036.937] CloseHandle (hObject=0x15c) returned 1 [0036.937] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.937] SetEndOfFile (hFile=0x168) returned 1 [0036.938] CloseHandle (hObject=0x168) returned 1 [0036.938] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x27) returned 1 [0036.939] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0036.939] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.939] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.939] lstrlenW (lpString=".doc") returned 4 [0036.939] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0036.939] lstrlenW (lpString=".docx") returned 5 [0036.939] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0036.939] lstrlenW (lpString=".pdf") returned 4 [0036.939] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0036.939] lstrlenW (lpString=".xls") returned 4 [0036.939] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0036.939] lstrlenW (lpString=".xlsx") returned 5 [0036.939] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0036.939] lstrlenW (lpString=".ppt") returned 4 [0036.939] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0036.939] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.939] lstrlenW (lpString=".zip") returned 4 [0036.939] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0036.939] lstrlenW (lpString=".rar") returned 4 [0036.939] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0036.939] lstrlenW (lpString=".bz2") returned 4 [0036.939] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0036.939] lstrlenW (lpString=".7z") returned 3 [0036.939] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0036.939] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.939] lstrlenW (lpString=".dbf") returned 4 [0036.940] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.940] lstrlenW (lpString=".1cd") returned 4 [0036.940] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0036.940] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.940] lstrlenW (lpString=".jpg") returned 4 [0036.940] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.940] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.940] lstrlenW (lpString=".doc") returned 4 [0036.940] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString=".docx") returned 5 [0036.940] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0036.940] lstrlenW (lpString=".pdf") returned 4 [0036.940] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString=".xls") returned 4 [0036.940] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString=".xlsx") returned 5 [0036.940] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0036.940] lstrlenW (lpString=".ppt") returned 4 [0036.940] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.940] lstrlenW (lpString=".zip") returned 4 [0036.940] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString=".rar") returned 4 [0036.940] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString=".bz2") returned 4 [0036.940] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString=".7z") returned 3 [0036.940] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0036.940] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.940] lstrlenW (lpString=".dbf") returned 4 [0036.940] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0036.940] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.940] lstrlenW (lpString=".1cd") returned 4 [0036.940] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0036.940] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0036.940] lstrlenW (lpString=".jpg") returned 4 [0036.941] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0036.941] Sleep (dwMilliseconds=0x64) [0037.108] Sleep (dwMilliseconds=0x64) [0037.213] Sleep (dwMilliseconds=0x64) [0037.707] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.707] lstrlenW (lpString="Proof.xml") returned 9 [0037.707] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.707] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1457) returned 1 [0037.707] CloseHandle (hObject=0x170) returned 1 [0037.707] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0x2020 [0037.707] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.707] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.707] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.707] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.708] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.708] GetLastError () returned 0x0 [0037.708] ReadFile (in: hFile=0x170, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0037.719] WriteFile (in: hFile=0x174, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0037.720] ReadFile (in: hFile=0x170, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.720] WriteFile (in: hFile=0x174, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.720] SetEndOfFile (hFile=0x174) returned 1 [0037.720] CloseHandle (hObject=0x174) returned 1 [0037.720] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.720] SetEndOfFile (hFile=0x170) returned 1 [0037.721] CloseHandle (hObject=0x170) returned 1 [0037.721] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.722] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0037.722] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.722] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.722] lstrlenW (lpString=".doc") returned 4 [0037.722] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.722] lstrlenW (lpString=".docx") returned 5 [0037.722] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0037.722] lstrlenW (lpString=".pdf") returned 4 [0037.722] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.722] lstrlenW (lpString=".xls") returned 4 [0037.722] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.722] lstrlenW (lpString=".xlsx") returned 5 [0037.722] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0037.722] lstrlenW (lpString=".ppt") returned 4 [0037.722] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.722] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.722] lstrlenW (lpString=".zip") returned 4 [0037.722] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.722] lstrlenW (lpString=".rar") returned 4 [0037.722] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString=".bz2") returned 4 [0037.723] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString=".7z") returned 3 [0037.723] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.723] lstrlenW (lpString=".dbf") returned 4 [0037.723] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.723] lstrlenW (lpString=".1cd") returned 4 [0037.723] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.723] lstrlenW (lpString=".jpg") returned 4 [0037.723] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.723] lstrlenW (lpString=".doc") returned 4 [0037.723] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString=".docx") returned 5 [0037.723] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0037.723] lstrlenW (lpString=".pdf") returned 4 [0037.723] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString=".xls") returned 4 [0037.723] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString=".xlsx") returned 5 [0037.723] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0037.723] lstrlenW (lpString=".ppt") returned 4 [0037.723] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.723] lstrlenW (lpString=".zip") returned 4 [0037.723] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.723] lstrlenW (lpString=".rar") returned 4 [0037.723] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString=".bz2") returned 4 [0037.723] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.723] lstrlenW (lpString=".7z") returned 3 [0037.724] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.724] lstrlenW (lpString=".dbf") returned 4 [0037.724] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.724] lstrlenW (lpString=".1cd") returned 4 [0037.724] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0037.724] lstrlenW (lpString=".jpg") returned 4 [0037.724] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.724] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.724] lstrlenW (lpString="Proofing.xml") returned 12 [0037.724] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.724] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=811) returned 1 [0037.724] CloseHandle (hObject=0x170) returned 1 [0037.724] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0037.724] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.725] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.725] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.725] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.725] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.725] GetLastError () returned 0x0 [0037.725] ReadFile (in: hFile=0x170, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x32b, lpOverlapped=0x0) returned 1 [0037.742] WriteFile (in: hFile=0x174, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x330, lpOverlapped=0x0) returned 1 [0037.743] ReadFile (in: hFile=0x170, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.744] WriteFile (in: hFile=0x174, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.744] SetEndOfFile (hFile=0x174) returned 1 [0037.745] CloseHandle (hObject=0x174) returned 1 [0037.745] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.745] SetEndOfFile (hFile=0x170) returned 1 [0037.746] CloseHandle (hObject=0x170) returned 1 [0037.746] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.746] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0037.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.747] lstrlenW (lpString=".doc") returned 4 [0037.747] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString=".docx") returned 5 [0037.747] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0037.747] lstrlenW (lpString=".pdf") returned 4 [0037.747] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString=".xls") returned 4 [0037.747] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString=".xlsx") returned 5 [0037.747] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0037.747] lstrlenW (lpString=".ppt") returned 4 [0037.747] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.747] lstrlenW (lpString=".zip") returned 4 [0037.747] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.747] lstrlenW (lpString=".rar") returned 4 [0037.747] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString=".bz2") returned 4 [0037.747] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString=".7z") returned 3 [0037.747] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.747] lstrlenW (lpString=".dbf") returned 4 [0037.747] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.747] lstrlenW (lpString=".1cd") returned 4 [0037.747] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.747] lstrlenW (lpString=".jpg") returned 4 [0037.747] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.747] lstrlenW (lpString=".doc") returned 4 [0037.748] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.748] lstrlenW (lpString=".docx") returned 5 [0037.748] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0037.748] lstrlenW (lpString=".pdf") returned 4 [0037.748] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.748] lstrlenW (lpString=".xls") returned 4 [0037.748] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.748] lstrlenW (lpString=".xlsx") returned 5 [0037.748] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0037.748] lstrlenW (lpString=".ppt") returned 4 [0037.748] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.748] lstrlenW (lpString=".zip") returned 4 [0037.748] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.748] lstrlenW (lpString=".rar") returned 4 [0037.748] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.748] lstrlenW (lpString=".bz2") returned 4 [0037.748] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.748] lstrlenW (lpString=".7z") returned 3 [0037.748] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.748] lstrlenW (lpString=".dbf") returned 4 [0037.748] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.748] lstrlenW (lpString=".1cd") returned 4 [0037.748] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0037.748] lstrlenW (lpString=".jpg") returned 4 [0037.748] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.748] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.748] lstrlenW (lpString="Setup.xml") returned 9 [0037.748] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.749] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=2362) returned 1 [0037.749] CloseHandle (hObject=0x170) returned 1 [0037.749] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.749] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.749] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.749] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.749] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.749] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.749] GetLastError () returned 0x0 [0037.749] ReadFile (in: hFile=0x170, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x93a, lpOverlapped=0x0) returned 1 [0037.761] WriteFile (in: hFile=0x174, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x940, lpOverlapped=0x0) returned 1 [0037.762] ReadFile (in: hFile=0x170, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.762] WriteFile (in: hFile=0x174, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.762] SetEndOfFile (hFile=0x174) returned 1 [0037.762] CloseHandle (hObject=0x174) returned 1 [0037.763] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.763] SetEndOfFile (hFile=0x170) returned 1 [0037.764] CloseHandle (hObject=0x170) returned 1 [0037.764] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.764] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.764] lstrlenW (lpString=".doc") returned 4 [0037.764] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.764] lstrlenW (lpString=".docx") returned 5 [0037.764] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.765] lstrlenW (lpString=".pdf") returned 4 [0037.765] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString=".xls") returned 4 [0037.765] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString=".xlsx") returned 5 [0037.765] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.765] lstrlenW (lpString=".ppt") returned 4 [0037.765] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.765] lstrlenW (lpString=".zip") returned 4 [0037.765] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.765] lstrlenW (lpString=".rar") returned 4 [0037.765] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString=".bz2") returned 4 [0037.765] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString=".7z") returned 3 [0037.765] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.765] lstrlenW (lpString=".dbf") returned 4 [0037.765] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.765] lstrlenW (lpString=".1cd") returned 4 [0037.765] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.765] lstrlenW (lpString=".jpg") returned 4 [0037.765] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.765] lstrlenW (lpString=".doc") returned 4 [0037.765] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString=".docx") returned 5 [0037.765] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.765] lstrlenW (lpString=".pdf") returned 4 [0037.765] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString=".xls") returned 4 [0037.765] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.765] lstrlenW (lpString=".xlsx") returned 5 [0037.765] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.766] lstrlenW (lpString=".ppt") returned 4 [0037.766] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.766] lstrlenW (lpString=".zip") returned 4 [0037.766] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.766] lstrlenW (lpString=".rar") returned 4 [0037.766] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.766] lstrlenW (lpString=".bz2") returned 4 [0037.766] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.766] lstrlenW (lpString=".7z") returned 3 [0037.766] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.766] lstrlenW (lpString=".dbf") returned 4 [0037.766] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.766] lstrlenW (lpString=".1cd") returned 4 [0037.766] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.766] lstrlenW (lpString=".jpg") returned 4 [0037.766] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.766] Sleep (dwMilliseconds=0x64) [0037.877] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.877] lstrlenW (lpString="Setup.xml") returned 9 [0037.877] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0037.881] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=6241) returned 1 [0037.881] CloseHandle (hObject=0x19c) returned 1 [0037.881] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.881] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.881] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0037.881] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.881] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.881] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.988] GetLastError () returned 0x0 [0037.988] ReadFile (in: hFile=0x19c, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x1861, lpOverlapped=0x0) returned 1 [0038.069] WriteFile (in: hFile=0x18c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0038.070] ReadFile (in: hFile=0x19c, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.070] WriteFile (in: hFile=0x18c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0038.070] SetEndOfFile (hFile=0x18c) returned 1 [0038.070] CloseHandle (hObject=0x18c) returned 1 [0038.071] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.071] SetEndOfFile (hFile=0x19c) returned 1 [0038.072] CloseHandle (hObject=0x19c) returned 1 [0038.072] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0038.072] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0038.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.073] lstrlenW (lpString=".doc") returned 4 [0038.073] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString=".docx") returned 5 [0038.073] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0038.073] lstrlenW (lpString=".pdf") returned 4 [0038.073] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString=".xls") returned 4 [0038.073] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString=".xlsx") returned 5 [0038.073] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0038.073] lstrlenW (lpString=".ppt") returned 4 [0038.073] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.073] lstrlenW (lpString=".zip") returned 4 [0038.073] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.073] lstrlenW (lpString=".rar") returned 4 [0038.073] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString=".bz2") returned 4 [0038.073] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString=".7z") returned 3 [0038.073] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.073] lstrlenW (lpString=".dbf") returned 4 [0038.073] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.073] lstrlenW (lpString=".1cd") returned 4 [0038.073] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.073] lstrlenW (lpString=".jpg") returned 4 [0038.073] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.073] lstrlenW (lpString=".doc") returned 4 [0038.073] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.074] lstrlenW (lpString=".docx") returned 5 [0038.074] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0038.074] lstrlenW (lpString=".pdf") returned 4 [0038.074] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.074] lstrlenW (lpString=".xls") returned 4 [0038.074] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.074] lstrlenW (lpString=".xlsx") returned 5 [0038.074] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0038.074] lstrlenW (lpString=".ppt") returned 4 [0038.074] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.074] lstrlenW (lpString=".zip") returned 4 [0038.074] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.074] lstrlenW (lpString=".rar") returned 4 [0038.074] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.074] lstrlenW (lpString=".bz2") returned 4 [0038.074] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.074] lstrlenW (lpString=".7z") returned 3 [0038.074] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.074] lstrlenW (lpString=".dbf") returned 4 [0038.074] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.074] lstrlenW (lpString=".1cd") returned 4 [0038.074] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.074] lstrlenW (lpString=".jpg") returned 4 [0038.074] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.074] Sleep (dwMilliseconds=0x64) [0038.318] lstrcmpiW (lpString1=".chm", lpString2=".NcOv") returned -1 [0038.318] lstrlenW (lpString="pss10r.chm") returned 10 [0038.318] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.650] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=27195) returned 1 [0040.650] CloseHandle (hObject=0x1c8) returned 1 [0040.651] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 0x2020 [0040.651] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.651] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.651] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.651] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.651] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0040.651] GetLastError () returned 0x0 [0040.651] ReadFile (in: hFile=0x1c8, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0041.023] WriteFile (in: hFile=0x1e4, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0041.025] ReadFile (in: hFile=0x1c8, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.025] WriteFile (in: hFile=0x1e4, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.025] SetEndOfFile (hFile=0x1e4) returned 1 [0041.025] CloseHandle (hObject=0x1e4) returned 1 [0041.026] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.026] SetEndOfFile (hFile=0x1c8) returned 1 [0041.027] CloseHandle (hObject=0x1c8) returned 1 [0041.027] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.027] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 1 [0041.027] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.027] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.028] lstrlenW (lpString=".doc") returned 4 [0041.028] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0041.028] lstrlenW (lpString=".docx") returned 5 [0041.028] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0041.028] lstrlenW (lpString=".pdf") returned 4 [0041.028] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0041.028] lstrlenW (lpString=".xls") returned 4 [0041.028] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0041.028] lstrlenW (lpString=".xlsx") returned 5 [0041.028] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0041.028] lstrlenW (lpString=".ppt") returned 4 [0041.028] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.028] lstrlenW (lpString=".zip") returned 4 [0041.028] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0041.028] lstrlenW (lpString=".rar") returned 4 [0041.028] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0041.028] lstrlenW (lpString=".bz2") returned 4 [0041.028] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0041.028] lstrlenW (lpString=".7z") returned 3 [0041.028] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.028] lstrlenW (lpString=".dbf") returned 4 [0041.028] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.028] lstrlenW (lpString=".1cd") returned 4 [0041.028] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.028] lstrlenW (lpString=".jpg") returned 4 [0041.028] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.029] lstrlenW (lpString=".doc") returned 4 [0041.029] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0041.029] lstrlenW (lpString=".docx") returned 5 [0041.029] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0041.029] lstrlenW (lpString=".pdf") returned 4 [0041.029] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0041.029] lstrlenW (lpString=".xls") returned 4 [0041.029] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0041.029] lstrlenW (lpString=".xlsx") returned 5 [0041.029] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0041.029] lstrlenW (lpString=".ppt") returned 4 [0041.029] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0041.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.029] lstrlenW (lpString=".zip") returned 4 [0041.029] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0041.029] lstrlenW (lpString=".rar") returned 4 [0041.029] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0041.029] lstrlenW (lpString=".bz2") returned 4 [0041.029] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0041.029] lstrlenW (lpString=".7z") returned 3 [0041.029] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0041.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.029] lstrlenW (lpString=".dbf") returned 4 [0041.029] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0041.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.029] lstrlenW (lpString=".1cd") returned 4 [0041.029] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0041.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0041.029] lstrlenW (lpString=".jpg") returned 4 [0041.029] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0041.030] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0041.030] lstrlenW (lpString="PrjProrWW.xml") returned 13 [0041.030] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0041.076] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=6421) returned 1 [0041.076] CloseHandle (hObject=0x1fc) returned 1 [0041.076] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 0x2020 [0041.085] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.085] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0041.085] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.096] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.096] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.105] GetLastError () returned 0x0 [0041.105] ReadFile (in: hFile=0x1fc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x1915, lpOverlapped=0x0) returned 1 [0041.114] WriteFile (in: hFile=0x200, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0041.115] ReadFile (in: hFile=0x1fc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.115] WriteFile (in: hFile=0x200, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0041.115] SetEndOfFile (hFile=0x200) returned 1 [0041.115] CloseHandle (hObject=0x200) returned 1 [0041.116] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.116] SetEndOfFile (hFile=0x1fc) returned 1 [0041.117] CloseHandle (hObject=0x1fc) returned 1 [0041.117] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.117] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0041.117] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.118] lstrlenW (lpString=".doc") returned 4 [0041.118] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString=".docx") returned 5 [0041.118] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.118] lstrlenW (lpString=".pdf") returned 4 [0041.118] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString=".xls") returned 4 [0041.118] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString=".xlsx") returned 5 [0041.118] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.118] lstrlenW (lpString=".ppt") returned 4 [0041.118] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.118] lstrlenW (lpString=".zip") returned 4 [0041.118] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.118] lstrlenW (lpString=".rar") returned 4 [0041.118] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString=".bz2") returned 4 [0041.118] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString=".7z") returned 3 [0041.118] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.118] lstrlenW (lpString=".dbf") returned 4 [0041.118] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.118] lstrlenW (lpString=".1cd") returned 4 [0041.118] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.118] lstrlenW (lpString=".jpg") returned 4 [0041.118] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.118] lstrlenW (lpString=".doc") returned 4 [0041.118] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.119] lstrlenW (lpString=".docx") returned 5 [0041.119] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.119] lstrlenW (lpString=".pdf") returned 4 [0041.119] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.119] lstrlenW (lpString=".xls") returned 4 [0041.119] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.119] lstrlenW (lpString=".xlsx") returned 5 [0041.119] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.119] lstrlenW (lpString=".ppt") returned 4 [0041.119] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.119] lstrlenW (lpString=".zip") returned 4 [0041.119] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.119] lstrlenW (lpString=".rar") returned 4 [0041.119] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.119] lstrlenW (lpString=".bz2") returned 4 [0041.119] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.119] lstrlenW (lpString=".7z") returned 3 [0041.119] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.119] lstrlenW (lpString=".dbf") returned 4 [0041.119] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.119] lstrlenW (lpString=".1cd") returned 4 [0041.119] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0041.119] lstrlenW (lpString=".jpg") returned 4 [0041.119] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.119] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0041.119] lstrlenW (lpString="MS.GIF") returned 6 [0041.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.125] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1069) returned 1 [0041.125] CloseHandle (hObject=0x1f0) returned 1 [0041.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 0x20 [0041.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.134] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.134] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.142] GetLastError () returned 0x0 [0041.142] ReadFile (in: hFile=0x1f0, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x42d, lpOverlapped=0x0) returned 1 [0041.150] WriteFile (in: hFile=0x1c8, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x430, lpOverlapped=0x0) returned 1 [0041.151] ReadFile (in: hFile=0x1f0, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.151] WriteFile (in: hFile=0x1c8, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0041.151] SetEndOfFile (hFile=0x1c8) returned 1 [0041.152] CloseHandle (hObject=0x1c8) returned 1 [0041.153] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.153] SetEndOfFile (hFile=0x1f0) returned 1 [0041.154] CloseHandle (hObject=0x1f0) returned 1 [0041.154] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0041.154] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 1 [0041.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.154] lstrlenW (lpString=".doc") returned 4 [0041.154] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0041.154] lstrlenW (lpString=".docx") returned 5 [0041.154] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0041.154] lstrlenW (lpString=".pdf") returned 4 [0041.155] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0041.155] lstrlenW (lpString=".xls") returned 4 [0041.155] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0041.155] lstrlenW (lpString=".xlsx") returned 5 [0041.155] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0041.155] lstrlenW (lpString=".ppt") returned 4 [0041.155] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0041.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.155] lstrlenW (lpString=".zip") returned 4 [0041.155] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0041.155] lstrlenW (lpString=".rar") returned 4 [0041.155] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0041.155] lstrlenW (lpString=".bz2") returned 4 [0041.155] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0041.155] lstrlenW (lpString=".7z") returned 3 [0041.155] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0041.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.155] lstrlenW (lpString=".dbf") returned 4 [0041.155] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0041.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.155] lstrlenW (lpString=".1cd") returned 4 [0041.155] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0041.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.155] lstrlenW (lpString=".jpg") returned 4 [0041.155] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0041.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.155] lstrlenW (lpString=".doc") returned 4 [0041.155] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0041.155] lstrlenW (lpString=".docx") returned 5 [0041.155] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0041.155] lstrlenW (lpString=".pdf") returned 4 [0041.155] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0041.155] lstrlenW (lpString=".xls") returned 4 [0041.155] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0041.155] lstrlenW (lpString=".xlsx") returned 5 [0041.156] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0041.156] lstrlenW (lpString=".ppt") returned 4 [0041.156] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0041.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.156] lstrlenW (lpString=".zip") returned 4 [0041.156] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0041.156] lstrlenW (lpString=".rar") returned 4 [0041.156] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0041.156] lstrlenW (lpString=".bz2") returned 4 [0041.156] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0041.156] lstrlenW (lpString=".7z") returned 3 [0041.156] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0041.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.156] lstrlenW (lpString=".dbf") returned 4 [0041.156] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0041.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.156] lstrlenW (lpString=".1cd") returned 4 [0041.156] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0041.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0041.156] lstrlenW (lpString=".jpg") returned 4 [0041.156] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0041.156] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0041.156] lstrlenW (lpString="Content.xml") returned 11 [0041.156] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0041.517] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=27045) returned 1 [0041.517] CloseHandle (hObject=0x1a0) returned 1 [0041.517] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0041.517] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.518] lstrlenW (lpString=".doc") returned 4 [0041.518] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.518] lstrlenW (lpString=".docx") returned 5 [0041.518] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0041.518] lstrlenW (lpString=".pdf") returned 4 [0041.518] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.518] lstrlenW (lpString=".xls") returned 4 [0041.518] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.518] lstrlenW (lpString=".xlsx") returned 5 [0041.518] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0041.518] lstrlenW (lpString=".ppt") returned 4 [0041.518] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.518] lstrlenW (lpString=".zip") returned 4 [0041.518] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.518] lstrlenW (lpString=".rar") returned 4 [0041.518] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.518] lstrlenW (lpString=".bz2") returned 4 [0041.518] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.518] lstrlenW (lpString=".7z") returned 3 [0041.518] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.519] lstrlenW (lpString=".dbf") returned 4 [0041.519] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.519] lstrlenW (lpString=".1cd") returned 4 [0041.519] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.519] lstrlenW (lpString=".jpg") returned 4 [0041.519] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.519] lstrlenW (lpString=".doc") returned 4 [0041.519] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.519] lstrlenW (lpString=".docx") returned 5 [0041.519] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0041.519] lstrlenW (lpString=".pdf") returned 4 [0041.519] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.519] lstrlenW (lpString=".xls") returned 4 [0041.519] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.519] lstrlenW (lpString=".xlsx") returned 5 [0041.519] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0041.520] lstrlenW (lpString=".ppt") returned 4 [0041.520] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.520] lstrlenW (lpString=".zip") returned 4 [0041.520] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.520] lstrlenW (lpString=".rar") returned 4 [0041.520] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.520] lstrlenW (lpString=".bz2") returned 4 [0041.520] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.520] lstrlenW (lpString=".7z") returned 3 [0041.520] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.520] lstrlenW (lpString=".dbf") returned 4 [0041.520] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.520] lstrlenW (lpString=".1cd") returned 4 [0041.520] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0041.520] lstrlenW (lpString=".jpg") returned 4 [0041.520] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.521] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0041.521] lstrlenW (lpString="boxed-delete.avi") returned 16 [0041.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0042.089] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=31744) returned 1 [0042.089] CloseHandle (hObject=0x194) returned 1 [0042.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0042.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.091] lstrlenW (lpString=".doc") returned 4 [0042.091] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.091] lstrlenW (lpString=".docx") returned 5 [0042.091] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0042.091] lstrlenW (lpString=".pdf") returned 4 [0042.091] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.091] lstrlenW (lpString=".xls") returned 4 [0042.091] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.091] lstrlenW (lpString=".xlsx") returned 5 [0042.091] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0042.091] lstrlenW (lpString=".ppt") returned 4 [0042.091] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.092] lstrlenW (lpString=".zip") returned 4 [0042.092] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString=".rar") returned 4 [0042.092] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString=".bz2") returned 4 [0042.092] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString=".7z") returned 3 [0042.092] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.092] lstrlenW (lpString=".dbf") returned 4 [0042.092] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.092] lstrlenW (lpString=".1cd") returned 4 [0042.092] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.092] lstrlenW (lpString=".jpg") returned 4 [0042.092] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.092] lstrlenW (lpString=".doc") returned 4 [0042.092] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString=".docx") returned 5 [0042.092] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0042.092] lstrlenW (lpString=".pdf") returned 4 [0042.092] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString=".xls") returned 4 [0042.092] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString=".xlsx") returned 5 [0042.092] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0042.092] lstrlenW (lpString=".ppt") returned 4 [0042.092] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.092] lstrlenW (lpString=".zip") returned 4 [0042.092] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.092] lstrlenW (lpString=".rar") returned 4 [0042.093] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.093] lstrlenW (lpString=".bz2") returned 4 [0042.093] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.093] lstrlenW (lpString=".7z") returned 3 [0042.093] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.093] lstrlenW (lpString=".dbf") returned 4 [0042.093] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.093] lstrlenW (lpString=".1cd") returned 4 [0042.093] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0042.093] lstrlenW (lpString=".jpg") returned 4 [0042.093] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.093] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.093] lstrlenW (lpString="zh-phonetic.xml") returned 15 [0042.093] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0042.755] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=10947) returned 1 [0042.772] CloseHandle (hObject=0x1a0) returned 1 [0042.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml")) returned 0x20 [0042.786] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.786] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.786] lstrlenW (lpString=".doc") returned 4 [0042.786] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.786] lstrlenW (lpString=".docx") returned 5 [0042.786] lstrcmpiW (lpString1=".docx", lpString2="c.xml") returned -1 [0042.786] lstrlenW (lpString=".pdf") returned 4 [0042.786] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.786] lstrlenW (lpString=".xls") returned 4 [0042.786] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.786] lstrlenW (lpString=".xlsx") returned 5 [0042.786] lstrcmpiW (lpString1=".xlsx", lpString2="c.xml") returned -1 [0042.786] lstrlenW (lpString=".ppt") returned 4 [0042.786] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.786] lstrlenW (lpString=".zip") returned 4 [0042.786] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.786] lstrlenW (lpString=".rar") returned 4 [0042.786] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.786] lstrlenW (lpString=".bz2") returned 4 [0042.786] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.786] lstrlenW (lpString=".7z") returned 3 [0042.786] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.786] lstrlenW (lpString=".dbf") returned 4 [0042.786] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.786] lstrlenW (lpString=".1cd") returned 4 [0042.786] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.787] lstrlenW (lpString=".jpg") returned 4 [0042.787] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.787] lstrlenW (lpString=".doc") returned 4 [0042.787] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString=".docx") returned 5 [0042.787] lstrcmpiW (lpString1=".docx", lpString2="c.xml") returned -1 [0042.787] lstrlenW (lpString=".pdf") returned 4 [0042.787] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString=".xls") returned 4 [0042.787] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString=".xlsx") returned 5 [0042.787] lstrcmpiW (lpString1=".xlsx", lpString2="c.xml") returned -1 [0042.787] lstrlenW (lpString=".ppt") returned 4 [0042.787] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.787] lstrlenW (lpString=".zip") returned 4 [0042.787] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.787] lstrlenW (lpString=".rar") returned 4 [0042.787] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString=".bz2") returned 4 [0042.787] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString=".7z") returned 3 [0042.787] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.787] lstrlenW (lpString=".dbf") returned 4 [0042.787] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.787] lstrlenW (lpString=".1cd") returned 4 [0042.787] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0042.787] lstrlenW (lpString=".jpg") returned 4 [0042.787] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.788] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.788] lstrlenW (lpString="ipscsy.xml") returned 10 [0042.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.461] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=2556) returned 1 [0043.461] CloseHandle (hObject=0x1a0) returned 1 [0043.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml")) returned 0x20 [0043.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0043.462] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.462] lstrlenW (lpString=".doc") returned 4 [0043.462] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString=".docx") returned 5 [0043.462] lstrcmpiW (lpString1=".docx", lpString2="y.xml") returned -1 [0043.462] lstrlenW (lpString=".pdf") returned 4 [0043.462] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString=".xls") returned 4 [0043.462] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString=".xlsx") returned 5 [0043.462] lstrcmpiW (lpString1=".xlsx", lpString2="y.xml") returned -1 [0043.462] lstrlenW (lpString=".ppt") returned 4 [0043.462] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.462] lstrlenW (lpString=".zip") returned 4 [0043.462] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0043.462] lstrlenW (lpString=".rar") returned 4 [0043.462] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString=".bz2") returned 4 [0043.462] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString=".7z") returned 3 [0043.462] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0043.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.462] lstrlenW (lpString=".dbf") returned 4 [0043.462] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.462] lstrlenW (lpString=".1cd") returned 4 [0043.462] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.462] lstrlenW (lpString=".jpg") returned 4 [0043.462] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0043.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.463] lstrlenW (lpString=".doc") returned 4 [0043.463] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0043.463] lstrlenW (lpString=".docx") returned 5 [0043.463] lstrcmpiW (lpString1=".docx", lpString2="y.xml") returned -1 [0043.463] lstrlenW (lpString=".pdf") returned 4 [0043.463] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0043.463] lstrlenW (lpString=".xls") returned 4 [0043.463] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0043.463] lstrlenW (lpString=".xlsx") returned 5 [0043.463] lstrcmpiW (lpString1=".xlsx", lpString2="y.xml") returned -1 [0043.463] lstrlenW (lpString=".ppt") returned 4 [0043.463] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0043.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.463] lstrlenW (lpString=".zip") returned 4 [0043.463] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0043.463] lstrlenW (lpString=".rar") returned 4 [0043.463] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0043.463] lstrlenW (lpString=".bz2") returned 4 [0043.463] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0043.463] lstrlenW (lpString=".7z") returned 3 [0043.463] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0043.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.463] lstrlenW (lpString=".dbf") returned 4 [0043.463] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0043.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.463] lstrlenW (lpString=".1cd") returned 4 [0043.463] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0043.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0043.463] lstrlenW (lpString=".jpg") returned 4 [0043.463] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0043.463] lstrcmpiW (lpString1=".HTM", lpString2=".NcOv") returned -1 [0043.464] lstrlenW (lpString="README.HTM") returned 10 [0043.464] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.965] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1941) returned 1 [0043.965] CloseHandle (hObject=0x200) returned 1 [0043.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 0x20 [0043.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0043.965] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.965] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.965] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.965] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0043.966] GetLastError () returned 0x0 [0043.966] ReadFile (in: hFile=0x200, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x795, lpOverlapped=0x0) returned 1 [0043.970] WriteFile (in: hFile=0x1f4, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x7a0, lpOverlapped=0x0) returned 1 [0043.971] ReadFile (in: hFile=0x200, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.971] WriteFile (in: hFile=0x1f4, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0043.971] SetEndOfFile (hFile=0x1f4) returned 1 [0043.971] CloseHandle (hObject=0x1f4) returned 1 [0043.972] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.972] SetEndOfFile (hFile=0x200) returned 1 [0043.973] CloseHandle (hObject=0x200) returned 1 [0043.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0043.974] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.974] lstrlenW (lpString=".doc") returned 4 [0043.974] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0043.974] lstrlenW (lpString=".docx") returned 5 [0043.974] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0043.974] lstrlenW (lpString=".pdf") returned 4 [0043.974] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0043.974] lstrlenW (lpString=".xls") returned 4 [0043.974] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0043.974] lstrlenW (lpString=".xlsx") returned 5 [0043.974] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0043.974] lstrlenW (lpString=".ppt") returned 4 [0043.974] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.974] lstrlenW (lpString=".zip") returned 4 [0043.974] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0043.974] lstrlenW (lpString=".rar") returned 4 [0043.974] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0043.974] lstrlenW (lpString=".bz2") returned 4 [0043.974] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0043.974] lstrlenW (lpString=".7z") returned 3 [0043.974] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.974] lstrlenW (lpString=".dbf") returned 4 [0043.974] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.974] lstrlenW (lpString=".1cd") returned 4 [0043.975] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0043.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.975] lstrlenW (lpString=".jpg") returned 4 [0043.975] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0043.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.975] lstrlenW (lpString=".doc") returned 4 [0043.975] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0043.975] lstrlenW (lpString=".docx") returned 5 [0043.975] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0043.975] lstrlenW (lpString=".pdf") returned 4 [0043.975] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0043.975] lstrlenW (lpString=".xls") returned 4 [0043.975] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0043.975] lstrlenW (lpString=".xlsx") returned 5 [0043.975] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0043.975] lstrlenW (lpString=".ppt") returned 4 [0043.975] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0043.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.975] lstrlenW (lpString=".zip") returned 4 [0043.975] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0043.975] lstrlenW (lpString=".rar") returned 4 [0043.975] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0043.975] lstrlenW (lpString=".bz2") returned 4 [0043.975] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0043.975] lstrlenW (lpString=".7z") returned 3 [0043.975] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0043.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.975] lstrlenW (lpString=".dbf") returned 4 [0043.975] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0043.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.975] lstrlenW (lpString=".1cd") returned 4 [0043.976] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0043.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0043.976] lstrlenW (lpString=".jpg") returned 4 [0043.976] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0043.976] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0043.976] lstrlenW (lpString="ExcelMUI.XML") returned 12 [0043.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.976] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1565) returned 1 [0043.976] CloseHandle (hObject=0x200) returned 1 [0043.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 0x20 [0043.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0043.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.977] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.977] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0043.977] GetLastError () returned 0x0 [0043.977] ReadFile (in: hFile=0x200, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x61d, lpOverlapped=0x0) returned 1 [0043.983] WriteFile (in: hFile=0x1f4, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x620, lpOverlapped=0x0) returned 1 [0043.984] ReadFile (in: hFile=0x200, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.984] WriteFile (in: hFile=0x1f4, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.984] SetEndOfFile (hFile=0x1f4) returned 1 [0043.984] CloseHandle (hObject=0x1f4) returned 1 [0043.985] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.985] SetEndOfFile (hFile=0x200) returned 1 [0043.986] CloseHandle (hObject=0x200) returned 1 [0043.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0043.986] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0043.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.986] lstrlenW (lpString=".doc") returned 4 [0043.986] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.986] lstrlenW (lpString=".docx") returned 5 [0043.987] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0043.987] lstrlenW (lpString=".pdf") returned 4 [0043.987] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString=".xls") returned 4 [0043.987] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString=".xlsx") returned 5 [0043.987] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0043.987] lstrlenW (lpString=".ppt") returned 4 [0043.987] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.987] lstrlenW (lpString=".zip") returned 4 [0043.987] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.987] lstrlenW (lpString=".rar") returned 4 [0043.987] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString=".bz2") returned 4 [0043.987] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString=".7z") returned 3 [0043.987] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.987] lstrlenW (lpString=".dbf") returned 4 [0043.987] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.987] lstrlenW (lpString=".1cd") returned 4 [0043.987] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.987] lstrlenW (lpString=".jpg") returned 4 [0043.987] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.987] lstrlenW (lpString=".doc") returned 4 [0043.987] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.987] lstrlenW (lpString=".docx") returned 5 [0043.987] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0043.988] lstrlenW (lpString=".pdf") returned 4 [0043.988] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.988] lstrlenW (lpString=".xls") returned 4 [0043.988] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.988] lstrlenW (lpString=".xlsx") returned 5 [0043.988] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0043.988] lstrlenW (lpString=".ppt") returned 4 [0043.988] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.988] lstrlenW (lpString=".zip") returned 4 [0043.988] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.988] lstrlenW (lpString=".rar") returned 4 [0043.988] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.988] lstrlenW (lpString=".bz2") returned 4 [0043.988] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.988] lstrlenW (lpString=".7z") returned 3 [0043.988] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.988] lstrlenW (lpString=".dbf") returned 4 [0043.988] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.988] lstrlenW (lpString=".1cd") returned 4 [0043.988] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0043.988] lstrlenW (lpString=".jpg") returned 4 [0043.988] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.988] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0043.988] lstrlenW (lpString="SETUP.XML") returned 9 [0043.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0043.992] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=2296) returned 1 [0043.992] CloseHandle (hObject=0x1c4) returned 1 [0043.992] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 0x20 [0043.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0043.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0043.993] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.993] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0043.997] GetLastError () returned 0x0 [0043.997] ReadFile (in: hFile=0x1c4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0044.000] WriteFile (in: hFile=0x1f4, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x900, lpOverlapped=0x0) returned 1 [0044.002] ReadFile (in: hFile=0x1c4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.002] WriteFile (in: hFile=0x1f4, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0044.002] SetEndOfFile (hFile=0x1f4) returned 1 [0044.002] CloseHandle (hObject=0x1f4) returned 1 [0044.008] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.008] SetEndOfFile (hFile=0x1c4) returned 1 [0044.009] CloseHandle (hObject=0x1c4) returned 1 [0044.009] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.009] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0044.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.009] lstrlenW (lpString=".doc") returned 4 [0044.009] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString=".docx") returned 5 [0044.010] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0044.010] lstrlenW (lpString=".pdf") returned 4 [0044.010] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString=".xls") returned 4 [0044.010] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString=".xlsx") returned 5 [0044.010] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0044.010] lstrlenW (lpString=".ppt") returned 4 [0044.010] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.010] lstrlenW (lpString=".zip") returned 4 [0044.010] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.010] lstrlenW (lpString=".rar") returned 4 [0044.010] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString=".bz2") returned 4 [0044.010] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString=".7z") returned 3 [0044.010] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.010] lstrlenW (lpString=".dbf") returned 4 [0044.010] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.010] lstrlenW (lpString=".1cd") returned 4 [0044.010] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.010] lstrlenW (lpString=".jpg") returned 4 [0044.010] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.010] lstrlenW (lpString=".doc") returned 4 [0044.010] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.010] lstrlenW (lpString=".docx") returned 5 [0044.010] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0044.010] lstrlenW (lpString=".pdf") returned 4 [0044.010] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.011] lstrlenW (lpString=".xls") returned 4 [0044.011] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.011] lstrlenW (lpString=".xlsx") returned 5 [0044.011] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0044.011] lstrlenW (lpString=".ppt") returned 4 [0044.011] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.011] lstrlenW (lpString=".zip") returned 4 [0044.011] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.011] lstrlenW (lpString=".rar") returned 4 [0044.011] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.011] lstrlenW (lpString=".bz2") returned 4 [0044.011] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.011] lstrlenW (lpString=".7z") returned 3 [0044.011] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.011] lstrlenW (lpString=".dbf") returned 4 [0044.011] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.011] lstrlenW (lpString=".1cd") returned 4 [0044.011] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0044.011] lstrlenW (lpString=".jpg") returned 4 [0044.011] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.011] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.011] lstrlenW (lpString="InfoPathMUI.XML") returned 15 [0044.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.012] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1231) returned 1 [0044.012] CloseHandle (hObject=0x1c4) returned 1 [0044.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 0x20 [0044.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.012] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.012] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.244] GetLastError () returned 0x0 [0044.244] ReadFile (in: hFile=0x1c4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0044.351] WriteFile (in: hFile=0x1f8, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0044.352] ReadFile (in: hFile=0x1c4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.352] WriteFile (in: hFile=0x1f8, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0044.353] SetEndOfFile (hFile=0x1f8) returned 1 [0044.353] CloseHandle (hObject=0x1f8) returned 1 [0044.353] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.354] SetEndOfFile (hFile=0x1c4) returned 1 [0044.354] CloseHandle (hObject=0x1c4) returned 1 [0044.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.355] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0044.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.355] lstrlenW (lpString=".doc") returned 4 [0044.355] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.355] lstrlenW (lpString=".docx") returned 5 [0044.355] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0044.355] lstrlenW (lpString=".pdf") returned 4 [0044.355] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.355] lstrlenW (lpString=".xls") returned 4 [0044.355] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.355] lstrlenW (lpString=".xlsx") returned 5 [0044.355] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0044.355] lstrlenW (lpString=".ppt") returned 4 [0044.355] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.355] lstrlenW (lpString=".zip") returned 4 [0044.355] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.356] lstrlenW (lpString=".rar") returned 4 [0044.356] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString=".bz2") returned 4 [0044.356] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString=".7z") returned 3 [0044.356] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.356] lstrlenW (lpString=".dbf") returned 4 [0044.356] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.356] lstrlenW (lpString=".1cd") returned 4 [0044.356] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.356] lstrlenW (lpString=".jpg") returned 4 [0044.356] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.356] lstrlenW (lpString=".doc") returned 4 [0044.356] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString=".docx") returned 5 [0044.356] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0044.356] lstrlenW (lpString=".pdf") returned 4 [0044.356] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString=".xls") returned 4 [0044.356] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString=".xlsx") returned 5 [0044.356] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0044.356] lstrlenW (lpString=".ppt") returned 4 [0044.356] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.356] lstrlenW (lpString=".zip") returned 4 [0044.356] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.356] lstrlenW (lpString=".rar") returned 4 [0044.356] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString=".bz2") returned 4 [0044.356] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.356] lstrlenW (lpString=".7z") returned 3 [0044.357] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.357] lstrlenW (lpString=".dbf") returned 4 [0044.357] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.357] lstrlenW (lpString=".1cd") returned 4 [0044.357] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0044.357] lstrlenW (lpString=".jpg") returned 4 [0044.357] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.357] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.357] lstrlenW (lpString="OfficeMUISet.XML") returned 16 [0044.357] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.422] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=819) returned 1 [0044.422] CloseHandle (hObject=0x1f4) returned 1 [0044.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 0x20 [0044.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.427] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.431] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.431] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.436] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.983] GetLastError () returned 0x0 [0044.983] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x333, lpOverlapped=0x0) returned 1 [0044.996] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x340, lpOverlapped=0x0) returned 1 [0044.997] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.997] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0044.997] SetEndOfFile (hFile=0x188) returned 1 [0044.997] CloseHandle (hObject=0x188) returned 1 [0044.998] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.998] SetEndOfFile (hFile=0x1f4) returned 1 [0044.999] CloseHandle (hObject=0x1f4) returned 1 [0045.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0045.000] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0045.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.000] lstrlenW (lpString=".doc") returned 4 [0045.000] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.000] lstrlenW (lpString=".docx") returned 5 [0045.000] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0045.000] lstrlenW (lpString=".pdf") returned 4 [0045.000] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.000] lstrlenW (lpString=".xls") returned 4 [0045.000] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.001] lstrlenW (lpString=".xlsx") returned 5 [0045.001] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0045.001] lstrlenW (lpString=".ppt") returned 4 [0045.001] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.001] lstrlenW (lpString=".zip") returned 4 [0045.001] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.001] lstrlenW (lpString=".rar") returned 4 [0045.001] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.001] lstrlenW (lpString=".bz2") returned 4 [0045.001] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.001] lstrlenW (lpString=".7z") returned 3 [0045.001] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.001] lstrlenW (lpString=".dbf") returned 4 [0045.001] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.001] lstrlenW (lpString=".1cd") returned 4 [0045.001] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.001] lstrlenW (lpString=".jpg") returned 4 [0045.001] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.001] lstrlenW (lpString=".doc") returned 4 [0045.001] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.001] lstrlenW (lpString=".docx") returned 5 [0045.001] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0045.002] lstrlenW (lpString=".pdf") returned 4 [0045.002] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.002] lstrlenW (lpString=".xls") returned 4 [0045.002] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.002] lstrlenW (lpString=".xlsx") returned 5 [0045.002] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0045.002] lstrlenW (lpString=".ppt") returned 4 [0045.002] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.002] lstrlenW (lpString=".zip") returned 4 [0045.002] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.002] lstrlenW (lpString=".rar") returned 4 [0045.002] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.002] lstrlenW (lpString=".bz2") returned 4 [0045.002] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.002] lstrlenW (lpString=".7z") returned 3 [0045.002] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.002] lstrlenW (lpString=".dbf") returned 4 [0045.002] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.002] lstrlenW (lpString=".1cd") returned 4 [0045.002] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0045.002] lstrlenW (lpString=".jpg") returned 4 [0045.002] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.003] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0045.003] lstrlenW (lpString="OutlookMUI.XML") returned 14 [0045.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.003] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=3186) returned 1 [0045.003] CloseHandle (hObject=0x1f4) returned 1 [0045.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 0x20 [0045.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0045.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.003] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.004] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0045.006] GetLastError () returned 0x0 [0045.006] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0xc72, lpOverlapped=0x0) returned 1 [0045.007] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xc80, lpOverlapped=0x0) returned 1 [0045.008] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.008] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0045.008] SetEndOfFile (hFile=0x188) returned 1 [0045.008] CloseHandle (hObject=0x188) returned 1 [0045.009] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.009] SetEndOfFile (hFile=0x1f4) returned 1 [0045.010] CloseHandle (hObject=0x1f4) returned 1 [0045.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0045.010] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0045.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.011] lstrlenW (lpString=".doc") returned 4 [0045.011] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.011] lstrlenW (lpString=".docx") returned 5 [0045.011] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0045.011] lstrlenW (lpString=".pdf") returned 4 [0045.011] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.011] lstrlenW (lpString=".xls") returned 4 [0045.011] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.011] lstrlenW (lpString=".xlsx") returned 5 [0045.011] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0045.011] lstrlenW (lpString=".ppt") returned 4 [0045.011] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.011] lstrlenW (lpString=".zip") returned 4 [0045.011] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.011] lstrlenW (lpString=".rar") returned 4 [0045.011] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.011] lstrlenW (lpString=".bz2") returned 4 [0045.011] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.012] lstrlenW (lpString=".7z") returned 3 [0045.012] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.012] lstrlenW (lpString=".dbf") returned 4 [0045.012] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.012] lstrlenW (lpString=".1cd") returned 4 [0045.012] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.012] lstrlenW (lpString=".jpg") returned 4 [0045.012] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.012] lstrlenW (lpString=".doc") returned 4 [0045.012] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.012] lstrlenW (lpString=".docx") returned 5 [0045.012] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0045.012] lstrlenW (lpString=".pdf") returned 4 [0045.012] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.012] lstrlenW (lpString=".xls") returned 4 [0045.012] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.012] lstrlenW (lpString=".xlsx") returned 5 [0045.012] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0045.012] lstrlenW (lpString=".ppt") returned 4 [0045.012] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.012] lstrlenW (lpString=".zip") returned 4 [0045.013] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.013] lstrlenW (lpString=".rar") returned 4 [0045.013] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.013] lstrlenW (lpString=".bz2") returned 4 [0045.013] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.013] lstrlenW (lpString=".7z") returned 3 [0045.013] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.013] lstrlenW (lpString=".dbf") returned 4 [0045.013] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.013] lstrlenW (lpString=".1cd") returned 4 [0045.013] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0045.013] lstrlenW (lpString=".jpg") returned 4 [0045.013] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.013] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0045.014] lstrlenW (lpString="SETUP.XML") returned 9 [0045.014] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.015] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=4207) returned 1 [0045.015] CloseHandle (hObject=0x1f4) returned 1 [0045.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 0x20 [0045.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0045.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.015] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.015] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0045.016] GetLastError () returned 0x0 [0045.016] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x106f, lpOverlapped=0x0) returned 1 [0045.018] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0045.019] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.019] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0045.019] SetEndOfFile (hFile=0x188) returned 1 [0045.019] CloseHandle (hObject=0x188) returned 1 [0045.020] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.020] SetEndOfFile (hFile=0x1f4) returned 1 [0045.021] CloseHandle (hObject=0x1f4) returned 1 [0045.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0045.024] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0045.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.024] lstrlenW (lpString=".doc") returned 4 [0045.025] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.025] lstrlenW (lpString=".docx") returned 5 [0045.025] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0045.025] lstrlenW (lpString=".pdf") returned 4 [0045.025] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.025] lstrlenW (lpString=".xls") returned 4 [0045.025] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.025] lstrlenW (lpString=".xlsx") returned 5 [0045.025] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0045.025] lstrlenW (lpString=".ppt") returned 4 [0045.025] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.025] lstrlenW (lpString=".zip") returned 4 [0045.025] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.025] lstrlenW (lpString=".rar") returned 4 [0045.025] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.025] lstrlenW (lpString=".bz2") returned 4 [0045.025] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.025] lstrlenW (lpString=".7z") returned 3 [0045.025] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.025] lstrlenW (lpString=".dbf") returned 4 [0045.025] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.025] lstrlenW (lpString=".1cd") returned 4 [0045.025] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.025] lstrlenW (lpString=".jpg") returned 4 [0045.025] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.026] lstrlenW (lpString=".doc") returned 4 [0045.026] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.026] lstrlenW (lpString=".docx") returned 5 [0045.026] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0045.026] lstrlenW (lpString=".pdf") returned 4 [0045.026] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.026] lstrlenW (lpString=".xls") returned 4 [0045.026] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.026] lstrlenW (lpString=".xlsx") returned 5 [0045.026] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0045.026] lstrlenW (lpString=".ppt") returned 4 [0045.026] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.026] lstrlenW (lpString=".zip") returned 4 [0045.026] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.026] lstrlenW (lpString=".rar") returned 4 [0045.026] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.026] lstrlenW (lpString=".bz2") returned 4 [0045.026] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.026] lstrlenW (lpString=".7z") returned 3 [0045.026] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.026] lstrlenW (lpString=".dbf") returned 4 [0045.026] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.026] lstrlenW (lpString=".1cd") returned 4 [0045.027] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0045.027] lstrlenW (lpString=".jpg") returned 4 [0045.027] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.027] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0045.027] lstrlenW (lpString="PowerPointMUI.XML") returned 17 [0045.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.027] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1450) returned 1 [0045.027] CloseHandle (hObject=0x1f4) returned 1 [0045.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 0x20 [0045.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0045.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.028] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.028] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0045.795] GetLastError () returned 0x0 [0045.795] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0045.796] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0045.797] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.797] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0045.798] SetEndOfFile (hFile=0x188) returned 1 [0045.798] CloseHandle (hObject=0x188) returned 1 [0045.800] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.800] SetEndOfFile (hFile=0x1f4) returned 1 [0045.801] CloseHandle (hObject=0x1f4) returned 1 [0045.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0045.801] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0045.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.801] lstrlenW (lpString=".doc") returned 4 [0045.801] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.801] lstrlenW (lpString=".docx") returned 5 [0045.801] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0045.801] lstrlenW (lpString=".pdf") returned 4 [0045.801] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.801] lstrlenW (lpString=".xls") returned 4 [0045.801] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.801] lstrlenW (lpString=".xlsx") returned 5 [0045.801] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0045.802] lstrlenW (lpString=".ppt") returned 4 [0045.802] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.802] lstrlenW (lpString=".zip") returned 4 [0045.802] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.802] lstrlenW (lpString=".rar") returned 4 [0045.802] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString=".bz2") returned 4 [0045.802] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString=".7z") returned 3 [0045.802] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.802] lstrlenW (lpString=".dbf") returned 4 [0045.802] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.802] lstrlenW (lpString=".1cd") returned 4 [0045.802] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.802] lstrlenW (lpString=".jpg") returned 4 [0045.802] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.802] lstrlenW (lpString=".doc") returned 4 [0045.802] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString=".docx") returned 5 [0045.802] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0045.802] lstrlenW (lpString=".pdf") returned 4 [0045.802] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString=".xls") returned 4 [0045.802] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString=".xlsx") returned 5 [0045.802] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0045.802] lstrlenW (lpString=".ppt") returned 4 [0045.802] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.803] lstrlenW (lpString=".zip") returned 4 [0045.803] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.803] lstrlenW (lpString=".rar") returned 4 [0045.803] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.803] lstrlenW (lpString=".bz2") returned 4 [0045.803] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.803] lstrlenW (lpString=".7z") returned 3 [0045.803] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.803] lstrlenW (lpString=".dbf") returned 4 [0045.803] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.803] lstrlenW (lpString=".1cd") returned 4 [0045.803] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0045.803] lstrlenW (lpString=".jpg") returned 4 [0045.803] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.803] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0045.803] lstrlenW (lpString="PrjProrWW.XML") returned 13 [0045.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.805] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=6421) returned 1 [0045.805] CloseHandle (hObject=0x1f4) returned 1 [0045.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 0x20 [0045.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0045.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.805] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.805] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0045.805] GetLastError () returned 0x0 [0045.805] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x1915, lpOverlapped=0x0) returned 1 [0045.807] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0045.809] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.809] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0045.809] SetEndOfFile (hFile=0x188) returned 1 [0045.809] CloseHandle (hObject=0x188) returned 1 [0045.810] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.810] SetEndOfFile (hFile=0x1f4) returned 1 [0045.811] CloseHandle (hObject=0x1f4) returned 1 [0045.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0045.811] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0045.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.811] lstrlenW (lpString=".doc") returned 4 [0045.811] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.811] lstrlenW (lpString=".docx") returned 5 [0045.811] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0045.811] lstrlenW (lpString=".pdf") returned 4 [0045.811] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.811] lstrlenW (lpString=".xls") returned 4 [0045.811] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.811] lstrlenW (lpString=".xlsx") returned 5 [0045.811] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0045.811] lstrlenW (lpString=".ppt") returned 4 [0045.811] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.811] lstrlenW (lpString=".zip") returned 4 [0045.811] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.812] lstrlenW (lpString=".rar") returned 4 [0045.812] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString=".bz2") returned 4 [0045.812] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString=".7z") returned 3 [0045.812] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.812] lstrlenW (lpString=".dbf") returned 4 [0045.812] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.812] lstrlenW (lpString=".1cd") returned 4 [0045.812] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.812] lstrlenW (lpString=".jpg") returned 4 [0045.812] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.812] lstrlenW (lpString=".doc") returned 4 [0045.812] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString=".docx") returned 5 [0045.812] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0045.812] lstrlenW (lpString=".pdf") returned 4 [0045.812] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString=".xls") returned 4 [0045.812] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString=".xlsx") returned 5 [0045.812] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0045.812] lstrlenW (lpString=".ppt") returned 4 [0045.812] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.812] lstrlenW (lpString=".zip") returned 4 [0045.812] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.812] lstrlenW (lpString=".rar") returned 4 [0045.812] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.812] lstrlenW (lpString=".bz2") returned 4 [0045.812] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.813] lstrlenW (lpString=".7z") returned 3 [0045.813] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.813] lstrlenW (lpString=".dbf") returned 4 [0045.813] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.813] lstrlenW (lpString=".1cd") returned 4 [0045.813] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0045.813] lstrlenW (lpString=".jpg") returned 4 [0045.813] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.813] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0045.813] lstrlenW (lpString="SETUP.XML") returned 9 [0045.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.814] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=16683) returned 1 [0045.814] CloseHandle (hObject=0x1f4) returned 1 [0045.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 0x20 [0045.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0045.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.815] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.815] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0045.817] GetLastError () returned 0x0 [0045.817] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x412b, lpOverlapped=0x0) returned 1 [0045.819] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0045.820] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.820] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0045.821] SetEndOfFile (hFile=0x188) returned 1 [0045.821] CloseHandle (hObject=0x188) returned 1 [0045.823] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.823] SetEndOfFile (hFile=0x1f4) returned 1 [0045.824] CloseHandle (hObject=0x1f4) returned 1 [0045.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0045.825] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0045.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.825] lstrlenW (lpString=".doc") returned 4 [0045.825] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.825] lstrlenW (lpString=".docx") returned 5 [0045.825] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0045.825] lstrlenW (lpString=".pdf") returned 4 [0045.825] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.825] lstrlenW (lpString=".xls") returned 4 [0045.825] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.825] lstrlenW (lpString=".xlsx") returned 5 [0045.825] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0045.825] lstrlenW (lpString=".ppt") returned 4 [0045.825] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.825] lstrlenW (lpString=".zip") returned 4 [0045.825] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.825] lstrlenW (lpString=".rar") returned 4 [0045.825] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.825] lstrlenW (lpString=".bz2") returned 4 [0045.825] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.825] lstrlenW (lpString=".7z") returned 3 [0045.826] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.826] lstrlenW (lpString=".dbf") returned 4 [0045.826] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.826] lstrlenW (lpString=".1cd") returned 4 [0045.826] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.826] lstrlenW (lpString=".jpg") returned 4 [0045.826] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.826] lstrlenW (lpString=".doc") returned 4 [0045.826] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString=".docx") returned 5 [0045.826] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0045.826] lstrlenW (lpString=".pdf") returned 4 [0045.826] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString=".xls") returned 4 [0045.826] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString=".xlsx") returned 5 [0045.826] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0045.826] lstrlenW (lpString=".ppt") returned 4 [0045.826] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.826] lstrlenW (lpString=".zip") returned 4 [0045.826] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0045.826] lstrlenW (lpString=".rar") returned 4 [0045.826] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString=".bz2") returned 4 [0045.826] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0045.826] lstrlenW (lpString=".7z") returned 3 [0045.826] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0045.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.826] lstrlenW (lpString=".dbf") returned 4 [0045.826] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0045.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.827] lstrlenW (lpString=".1cd") returned 4 [0045.827] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0045.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0045.827] lstrlenW (lpString=".jpg") returned 4 [0045.827] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0045.827] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0045.827] lstrlenW (lpString="ProjectMUI.XML") returned 14 [0045.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.827] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1452) returned 1 [0045.827] CloseHandle (hObject=0x1f4) returned 1 [0045.827] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 0x20 [0045.827] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0045.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.827] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.828] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0046.105] GetLastError () returned 0x0 [0046.105] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0046.465] WriteFile (in: hFile=0x1e8, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0046.466] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.466] WriteFile (in: hFile=0x1e8, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0046.466] SetEndOfFile (hFile=0x1e8) returned 1 [0046.467] CloseHandle (hObject=0x1e8) returned 1 [0046.467] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.467] SetEndOfFile (hFile=0x1f4) returned 1 [0046.468] CloseHandle (hObject=0x1f4) returned 1 [0046.469] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0046.469] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0046.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.469] lstrlenW (lpString=".doc") returned 4 [0046.469] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.469] lstrlenW (lpString=".docx") returned 5 [0046.469] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0046.469] lstrlenW (lpString=".pdf") returned 4 [0046.469] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.469] lstrlenW (lpString=".xls") returned 4 [0046.469] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.469] lstrlenW (lpString=".xlsx") returned 5 [0046.470] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0046.470] lstrlenW (lpString=".ppt") returned 4 [0046.470] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.470] lstrlenW (lpString=".zip") returned 4 [0046.470] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.470] lstrlenW (lpString=".rar") returned 4 [0046.470] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.470] lstrlenW (lpString=".bz2") returned 4 [0046.470] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.470] lstrlenW (lpString=".7z") returned 3 [0046.470] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.470] lstrlenW (lpString=".dbf") returned 4 [0046.470] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.470] lstrlenW (lpString=".1cd") returned 4 [0046.470] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.470] lstrlenW (lpString=".jpg") returned 4 [0046.470] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.470] lstrlenW (lpString=".doc") returned 4 [0046.470] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.470] lstrlenW (lpString=".docx") returned 5 [0046.470] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0046.471] lstrlenW (lpString=".pdf") returned 4 [0046.471] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.471] lstrlenW (lpString=".xls") returned 4 [0046.471] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.471] lstrlenW (lpString=".xlsx") returned 5 [0046.471] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0046.471] lstrlenW (lpString=".ppt") returned 4 [0046.471] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.471] lstrlenW (lpString=".zip") returned 4 [0046.471] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.471] lstrlenW (lpString=".rar") returned 4 [0046.471] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.471] lstrlenW (lpString=".bz2") returned 4 [0046.471] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.471] lstrlenW (lpString=".7z") returned 3 [0046.471] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.471] lstrlenW (lpString=".dbf") returned 4 [0046.471] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.471] lstrlenW (lpString=".1cd") returned 4 [0046.471] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0046.471] lstrlenW (lpString=".jpg") returned 4 [0046.471] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.472] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0046.472] lstrlenW (lpString="PublisherMUI.XML") returned 16 [0046.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.472] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1450) returned 1 [0046.472] CloseHandle (hObject=0x1f4) returned 1 [0046.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 0x20 [0046.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0046.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.472] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.473] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0046.502] GetLastError () returned 0x0 [0046.502] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0046.508] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0046.510] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.510] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0046.510] SetEndOfFile (hFile=0x188) returned 1 [0046.510] CloseHandle (hObject=0x188) returned 1 [0046.512] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.512] SetEndOfFile (hFile=0x1f4) returned 1 [0046.513] CloseHandle (hObject=0x1f4) returned 1 [0046.513] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0046.513] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.514] lstrlenW (lpString=".doc") returned 4 [0046.514] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.514] lstrlenW (lpString=".docx") returned 5 [0046.514] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0046.514] lstrlenW (lpString=".pdf") returned 4 [0046.514] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.514] lstrlenW (lpString=".xls") returned 4 [0046.514] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.514] lstrlenW (lpString=".xlsx") returned 5 [0046.514] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0046.514] lstrlenW (lpString=".ppt") returned 4 [0046.514] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.514] lstrlenW (lpString=".zip") returned 4 [0046.514] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.514] lstrlenW (lpString=".rar") returned 4 [0046.514] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.514] lstrlenW (lpString=".bz2") returned 4 [0046.514] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.514] lstrlenW (lpString=".7z") returned 3 [0046.514] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.514] lstrlenW (lpString=".dbf") returned 4 [0046.514] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.515] lstrlenW (lpString=".1cd") returned 4 [0046.515] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.515] lstrlenW (lpString=".jpg") returned 4 [0046.515] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.515] lstrlenW (lpString=".doc") returned 4 [0046.515] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.515] lstrlenW (lpString=".docx") returned 5 [0046.515] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0046.515] lstrlenW (lpString=".pdf") returned 4 [0046.515] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.515] lstrlenW (lpString=".xls") returned 4 [0046.515] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.515] lstrlenW (lpString=".xlsx") returned 5 [0046.515] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0046.515] lstrlenW (lpString=".ppt") returned 4 [0046.515] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.515] lstrlenW (lpString=".zip") returned 4 [0046.515] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.515] lstrlenW (lpString=".rar") returned 4 [0046.515] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.515] lstrlenW (lpString=".bz2") returned 4 [0046.516] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.516] lstrlenW (lpString=".7z") returned 3 [0046.516] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.516] lstrlenW (lpString=".dbf") returned 4 [0046.516] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.516] lstrlenW (lpString=".1cd") returned 4 [0046.516] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0046.516] lstrlenW (lpString=".jpg") returned 4 [0046.516] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.516] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0046.516] lstrlenW (lpString="SETUP.XML") returned 9 [0046.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.517] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=6241) returned 1 [0046.517] CloseHandle (hObject=0x1f4) returned 1 [0046.517] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 0x20 [0046.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0046.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.518] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.518] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0046.518] GetLastError () returned 0x0 [0046.518] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x1861, lpOverlapped=0x0) returned 1 [0046.520] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0046.522] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.522] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.522] SetEndOfFile (hFile=0x188) returned 1 [0046.522] CloseHandle (hObject=0x188) returned 1 [0046.523] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.523] SetEndOfFile (hFile=0x1f4) returned 1 [0046.524] CloseHandle (hObject=0x1f4) returned 1 [0046.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0046.524] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0046.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.525] lstrlenW (lpString=".doc") returned 4 [0046.525] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.525] lstrlenW (lpString=".docx") returned 5 [0046.525] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0046.525] lstrlenW (lpString=".pdf") returned 4 [0046.525] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.525] lstrlenW (lpString=".xls") returned 4 [0046.525] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.525] lstrlenW (lpString=".xlsx") returned 5 [0046.525] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0046.525] lstrlenW (lpString=".ppt") returned 4 [0046.525] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.525] lstrlenW (lpString=".zip") returned 4 [0046.525] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.525] lstrlenW (lpString=".rar") returned 4 [0046.525] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.525] lstrlenW (lpString=".bz2") returned 4 [0046.525] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.525] lstrlenW (lpString=".7z") returned 3 [0046.525] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.526] lstrlenW (lpString=".dbf") returned 4 [0046.526] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.526] lstrlenW (lpString=".1cd") returned 4 [0046.526] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.526] lstrlenW (lpString=".jpg") returned 4 [0046.526] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.526] lstrlenW (lpString=".doc") returned 4 [0046.526] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.526] lstrlenW (lpString=".docx") returned 5 [0046.526] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0046.526] lstrlenW (lpString=".pdf") returned 4 [0046.526] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.526] lstrlenW (lpString=".xls") returned 4 [0046.526] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.526] lstrlenW (lpString=".xlsx") returned 5 [0046.526] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0046.526] lstrlenW (lpString=".ppt") returned 4 [0046.526] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.526] lstrlenW (lpString=".zip") returned 4 [0046.526] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.526] lstrlenW (lpString=".rar") returned 4 [0046.526] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.526] lstrlenW (lpString=".bz2") returned 4 [0046.527] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.527] lstrlenW (lpString=".7z") returned 3 [0046.527] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.527] lstrlenW (lpString=".dbf") returned 4 [0046.527] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.527] lstrlenW (lpString=".1cd") returned 4 [0046.527] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0046.527] lstrlenW (lpString=".jpg") returned 4 [0046.527] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.527] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0046.527] lstrlenW (lpString="VisioMUI.XML") returned 12 [0046.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.528] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=9503) returned 1 [0046.528] CloseHandle (hObject=0x1f4) returned 1 [0046.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 0x20 [0046.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0046.529] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.529] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.529] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.529] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0046.531] GetLastError () returned 0x0 [0046.531] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x251f, lpOverlapped=0x0) returned 1 [0046.904] WriteFile (in: hFile=0x1e8, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0046.905] ReadFile (in: hFile=0x1f4, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.905] WriteFile (in: hFile=0x1e8, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.905] SetEndOfFile (hFile=0x1e8) returned 1 [0046.906] CloseHandle (hObject=0x1e8) returned 1 [0046.906] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.907] SetEndOfFile (hFile=0x1f4) returned 1 [0046.908] CloseHandle (hObject=0x1f4) returned 1 [0046.908] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0046.908] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0046.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.908] lstrlenW (lpString=".doc") returned 4 [0046.908] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.908] lstrlenW (lpString=".docx") returned 5 [0046.908] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0046.908] lstrlenW (lpString=".pdf") returned 4 [0046.908] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString=".xls") returned 4 [0046.909] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString=".xlsx") returned 5 [0046.909] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0046.909] lstrlenW (lpString=".ppt") returned 4 [0046.909] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.909] lstrlenW (lpString=".zip") returned 4 [0046.909] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.909] lstrlenW (lpString=".rar") returned 4 [0046.909] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString=".bz2") returned 4 [0046.909] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString=".7z") returned 3 [0046.909] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.909] lstrlenW (lpString=".dbf") returned 4 [0046.909] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.909] lstrlenW (lpString=".1cd") returned 4 [0046.909] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.909] lstrlenW (lpString=".jpg") returned 4 [0046.909] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.909] lstrlenW (lpString=".doc") returned 4 [0046.909] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.909] lstrlenW (lpString=".docx") returned 5 [0046.909] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0046.910] lstrlenW (lpString=".pdf") returned 4 [0046.910] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.910] lstrlenW (lpString=".xls") returned 4 [0046.910] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.910] lstrlenW (lpString=".xlsx") returned 5 [0046.910] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0046.910] lstrlenW (lpString=".ppt") returned 4 [0046.910] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.910] lstrlenW (lpString=".zip") returned 4 [0046.910] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.910] lstrlenW (lpString=".rar") returned 4 [0046.910] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.910] lstrlenW (lpString=".bz2") returned 4 [0046.910] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.910] lstrlenW (lpString=".7z") returned 3 [0046.910] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.910] lstrlenW (lpString=".dbf") returned 4 [0046.910] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.910] lstrlenW (lpString=".1cd") returned 4 [0046.910] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0046.910] lstrlenW (lpString=".jpg") returned 4 [0046.910] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.910] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0046.910] lstrlenW (lpString="STOCKS.XML") returned 10 [0046.910] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.357] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=2687) returned 1 [0047.357] CloseHandle (hObject=0x194) returned 1 [0047.357] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 0x20 [0047.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.358] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.358] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.703] GetLastError () returned 0x0 [0047.703] ReadFile (in: hFile=0x194, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0xa7f, lpOverlapped=0x0) returned 1 [0047.734] WriteFile (in: hFile=0x204, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xa80, lpOverlapped=0x0) returned 1 [0047.735] ReadFile (in: hFile=0x194, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.735] WriteFile (in: hFile=0x204, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0047.735] SetEndOfFile (hFile=0x204) returned 1 [0047.735] CloseHandle (hObject=0x204) returned 1 [0047.735] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.735] SetEndOfFile (hFile=0x194) returned 1 [0047.736] CloseHandle (hObject=0x194) returned 1 [0047.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0047.736] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0047.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.737] lstrlenW (lpString=".doc") returned 4 [0047.737] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString=".docx") returned 5 [0047.737] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0047.737] lstrlenW (lpString=".pdf") returned 4 [0047.737] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString=".xls") returned 4 [0047.737] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString=".xlsx") returned 5 [0047.737] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0047.737] lstrlenW (lpString=".ppt") returned 4 [0047.737] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.737] lstrlenW (lpString=".zip") returned 4 [0047.737] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0047.737] lstrlenW (lpString=".rar") returned 4 [0047.737] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString=".bz2") returned 4 [0047.737] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString=".7z") returned 3 [0047.737] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0047.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.737] lstrlenW (lpString=".dbf") returned 4 [0047.737] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.737] lstrlenW (lpString=".1cd") returned 4 [0047.737] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.737] lstrlenW (lpString=".jpg") returned 4 [0047.737] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.737] lstrlenW (lpString=".doc") returned 4 [0047.737] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0047.737] lstrlenW (lpString=".docx") returned 5 [0047.738] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0047.738] lstrlenW (lpString=".pdf") returned 4 [0047.738] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0047.738] lstrlenW (lpString=".xls") returned 4 [0047.738] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0047.738] lstrlenW (lpString=".xlsx") returned 5 [0047.738] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0047.738] lstrlenW (lpString=".ppt") returned 4 [0047.738] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0047.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.738] lstrlenW (lpString=".zip") returned 4 [0047.738] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0047.738] lstrlenW (lpString=".rar") returned 4 [0047.738] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0047.738] lstrlenW (lpString=".bz2") returned 4 [0047.738] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0047.738] lstrlenW (lpString=".7z") returned 3 [0047.738] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0047.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.738] lstrlenW (lpString=".dbf") returned 4 [0047.738] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0047.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.738] lstrlenW (lpString=".1cd") returned 4 [0047.738] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0047.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0047.738] lstrlenW (lpString=".jpg") returned 4 [0047.738] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0047.738] lstrcmpiW (lpString1=".htm", lpString2=".NcOv") returned -1 [0047.738] lstrlenW (lpString="Bears.htm") returned 9 [0047.738] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.744] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=255) returned 1 [0047.744] CloseHandle (hObject=0x208) returned 1 [0047.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0047.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.745] lstrlenW (lpString=".doc") returned 4 [0047.745] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0047.745] lstrlenW (lpString=".docx") returned 5 [0047.745] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0047.745] lstrlenW (lpString=".pdf") returned 4 [0047.745] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0047.745] lstrlenW (lpString=".xls") returned 4 [0047.745] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0047.745] lstrlenW (lpString=".xlsx") returned 5 [0047.745] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0047.745] lstrlenW (lpString=".ppt") returned 4 [0047.745] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0047.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.745] lstrlenW (lpString=".zip") returned 4 [0047.745] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0047.745] lstrlenW (lpString=".rar") returned 4 [0047.745] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0047.745] lstrlenW (lpString=".bz2") returned 4 [0047.745] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0047.745] lstrlenW (lpString=".7z") returned 3 [0047.745] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0047.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.745] lstrlenW (lpString=".dbf") returned 4 [0047.745] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0047.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.745] lstrlenW (lpString=".1cd") returned 4 [0047.745] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0047.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.745] lstrlenW (lpString=".jpg") returned 4 [0047.745] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0047.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.746] lstrlenW (lpString=".doc") returned 4 [0047.746] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0047.746] lstrlenW (lpString=".docx") returned 5 [0047.746] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0047.746] lstrlenW (lpString=".pdf") returned 4 [0047.746] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0047.746] lstrlenW (lpString=".xls") returned 4 [0047.746] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0047.746] lstrlenW (lpString=".xlsx") returned 5 [0047.746] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0047.746] lstrlenW (lpString=".ppt") returned 4 [0047.746] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0047.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.746] lstrlenW (lpString=".zip") returned 4 [0047.746] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0047.746] lstrlenW (lpString=".rar") returned 4 [0047.746] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0047.746] lstrlenW (lpString=".bz2") returned 4 [0047.746] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0047.746] lstrlenW (lpString=".7z") returned 3 [0047.746] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0047.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.746] lstrlenW (lpString=".dbf") returned 4 [0047.746] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0047.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.746] lstrlenW (lpString=".1cd") returned 4 [0047.746] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0047.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0047.746] lstrlenW (lpString=".jpg") returned 4 [0047.746] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0047.746] lstrcmpiW (lpString1=".jpg", lpString2=".NcOv") returned -1 [0047.746] lstrlenW (lpString="Bears.jpg") returned 9 [0047.747] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.747] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1074) returned 1 [0047.747] CloseHandle (hObject=0x208) returned 1 [0047.747] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0047.747] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.747] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.747] lstrlenW (lpString=".doc") returned 4 [0047.747] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0047.747] lstrlenW (lpString=".docx") returned 5 [0047.747] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0047.747] lstrlenW (lpString=".pdf") returned 4 [0047.747] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0047.747] lstrlenW (lpString=".xls") returned 4 [0047.747] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0047.747] lstrlenW (lpString=".xlsx") returned 5 [0047.747] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0047.747] lstrlenW (lpString=".ppt") returned 4 [0047.747] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0047.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.747] lstrlenW (lpString=".zip") returned 4 [0047.748] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0047.748] lstrlenW (lpString=".rar") returned 4 [0047.748] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0047.748] lstrlenW (lpString=".bz2") returned 4 [0047.748] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0047.748] lstrlenW (lpString=".7z") returned 3 [0047.748] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0047.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.748] lstrlenW (lpString=".dbf") returned 4 [0047.748] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0047.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.748] lstrlenW (lpString=".1cd") returned 4 [0047.748] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0047.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.748] lstrlenW (lpString=".jpg") returned 4 [0047.748] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0047.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.748] lstrlenW (lpString=".doc") returned 4 [0047.748] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0047.748] lstrlenW (lpString=".docx") returned 5 [0047.748] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0047.748] lstrlenW (lpString=".pdf") returned 4 [0047.748] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0047.748] lstrlenW (lpString=".xls") returned 4 [0047.748] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0047.748] lstrlenW (lpString=".xlsx") returned 5 [0047.748] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0047.748] lstrlenW (lpString=".ppt") returned 4 [0047.748] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0047.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.748] lstrlenW (lpString=".zip") returned 4 [0047.748] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0047.748] lstrlenW (lpString=".rar") returned 4 [0047.748] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0047.748] lstrlenW (lpString=".bz2") returned 4 [0047.749] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0047.749] lstrlenW (lpString=".7z") returned 3 [0047.749] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0047.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.749] lstrlenW (lpString=".dbf") returned 4 [0047.749] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0047.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.749] lstrlenW (lpString=".1cd") returned 4 [0047.749] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0047.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0047.749] lstrlenW (lpString=".jpg") returned 4 [0047.749] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0047.749] lstrcmpiW (lpString1=".jpg", lpString2=".NcOv") returned -1 [0047.749] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0047.749] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.750] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=2575) returned 1 [0047.750] CloseHandle (hObject=0x208) returned 1 [0047.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg")) returned 0x20 [0047.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.750] lstrlenW (lpString=".doc") returned 4 [0047.750] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0047.750] lstrlenW (lpString=".docx") returned 5 [0047.750] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0047.750] lstrlenW (lpString=".pdf") returned 4 [0047.750] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0047.750] lstrlenW (lpString=".xls") returned 4 [0047.750] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0047.750] lstrlenW (lpString=".xlsx") returned 5 [0047.750] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0047.750] lstrlenW (lpString=".ppt") returned 4 [0047.750] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0047.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.751] lstrlenW (lpString=".zip") returned 4 [0047.751] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0047.751] lstrlenW (lpString=".rar") returned 4 [0047.751] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0047.751] lstrlenW (lpString=".bz2") returned 4 [0047.751] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0047.751] lstrlenW (lpString=".7z") returned 3 [0047.751] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0047.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.751] lstrlenW (lpString=".dbf") returned 4 [0047.751] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0047.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.751] lstrlenW (lpString=".1cd") returned 4 [0047.751] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0047.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.751] lstrlenW (lpString=".jpg") returned 4 [0047.751] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0047.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.751] lstrlenW (lpString=".doc") returned 4 [0047.751] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0047.751] lstrlenW (lpString=".docx") returned 5 [0047.751] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0047.751] lstrlenW (lpString=".pdf") returned 4 [0047.751] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0047.751] lstrlenW (lpString=".xls") returned 4 [0047.751] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0047.751] lstrlenW (lpString=".xlsx") returned 5 [0047.751] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0047.751] lstrlenW (lpString=".ppt") returned 4 [0047.751] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0047.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.751] lstrlenW (lpString=".zip") returned 4 [0047.751] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0047.751] lstrlenW (lpString=".rar") returned 4 [0047.752] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0047.752] lstrlenW (lpString=".bz2") returned 4 [0047.752] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0047.752] lstrlenW (lpString=".7z") returned 3 [0047.752] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0047.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.752] lstrlenW (lpString=".dbf") returned 4 [0047.752] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0047.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.752] lstrlenW (lpString=".1cd") returned 4 [0047.752] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0047.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0047.752] lstrlenW (lpString=".jpg") returned 4 [0047.752] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0047.752] lstrcmpiW (lpString1=".gif", lpString2=".NcOv") returned -1 [0047.752] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0047.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.752] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=4587) returned 1 [0047.752] CloseHandle (hObject=0x208) returned 1 [0047.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif")) returned 0x20 [0047.753] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.753] lstrlenW (lpString=".doc") returned 4 [0047.753] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0047.753] lstrlenW (lpString=".docx") returned 5 [0047.753] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0047.753] lstrlenW (lpString=".pdf") returned 4 [0047.753] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0047.753] lstrlenW (lpString=".xls") returned 4 [0047.753] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0047.753] lstrlenW (lpString=".xlsx") returned 5 [0047.753] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0047.753] lstrlenW (lpString=".ppt") returned 4 [0047.753] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0047.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.753] lstrlenW (lpString=".zip") returned 4 [0047.753] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0047.753] lstrlenW (lpString=".rar") returned 4 [0047.753] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0047.753] lstrlenW (lpString=".bz2") returned 4 [0047.753] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0047.753] lstrlenW (lpString=".7z") returned 3 [0047.753] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0047.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.753] lstrlenW (lpString=".dbf") returned 4 [0047.753] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0047.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.753] lstrlenW (lpString=".1cd") returned 4 [0047.753] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0047.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.753] lstrlenW (lpString=".jpg") returned 4 [0047.753] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0047.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.754] lstrlenW (lpString=".doc") returned 4 [0047.754] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0047.754] lstrlenW (lpString=".docx") returned 5 [0047.754] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0047.754] lstrlenW (lpString=".pdf") returned 4 [0047.754] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0047.754] lstrlenW (lpString=".xls") returned 4 [0047.754] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0047.754] lstrlenW (lpString=".xlsx") returned 5 [0047.754] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0047.754] lstrlenW (lpString=".ppt") returned 4 [0047.754] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0047.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.754] lstrlenW (lpString=".zip") returned 4 [0047.754] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0047.754] lstrlenW (lpString=".rar") returned 4 [0047.754] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0047.754] lstrlenW (lpString=".bz2") returned 4 [0047.754] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0047.754] lstrlenW (lpString=".7z") returned 3 [0047.754] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0047.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.754] lstrlenW (lpString=".dbf") returned 4 [0047.754] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0047.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.754] lstrlenW (lpString=".1cd") returned 4 [0047.754] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0047.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0047.754] lstrlenW (lpString=".jpg") returned 4 [0047.754] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0047.755] lstrcmpiW (lpString1=".gif", lpString2=".NcOv") returned -1 [0047.755] lstrlenW (lpString="Connectivity.gif") returned 16 [0047.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.755] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=2319) returned 1 [0047.755] CloseHandle (hObject=0x208) returned 1 [0047.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif")) returned 0x20 [0047.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.755] lstrlenW (lpString=".doc") returned 4 [0047.755] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0047.755] lstrlenW (lpString=".docx") returned 5 [0047.755] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0047.755] lstrlenW (lpString=".pdf") returned 4 [0047.755] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0047.755] lstrlenW (lpString=".xls") returned 4 [0047.755] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0047.755] lstrlenW (lpString=".xlsx") returned 5 [0047.755] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0047.755] lstrlenW (lpString=".ppt") returned 4 [0047.755] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0047.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.756] lstrlenW (lpString=".zip") returned 4 [0047.756] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0047.756] lstrlenW (lpString=".rar") returned 4 [0047.756] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0047.756] lstrlenW (lpString=".bz2") returned 4 [0047.756] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0047.756] lstrlenW (lpString=".7z") returned 3 [0047.756] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0047.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.756] lstrlenW (lpString=".dbf") returned 4 [0047.756] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0047.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.756] lstrlenW (lpString=".1cd") returned 4 [0047.756] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0047.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.756] lstrlenW (lpString=".jpg") returned 4 [0047.756] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0047.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.756] lstrlenW (lpString=".doc") returned 4 [0047.756] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0047.756] lstrlenW (lpString=".docx") returned 5 [0047.756] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0047.756] lstrlenW (lpString=".pdf") returned 4 [0047.756] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0047.756] lstrlenW (lpString=".xls") returned 4 [0047.756] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0047.756] lstrlenW (lpString=".xlsx") returned 5 [0047.756] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0047.756] lstrlenW (lpString=".ppt") returned 4 [0047.756] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0047.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.756] lstrlenW (lpString=".zip") returned 4 [0047.756] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0047.756] lstrlenW (lpString=".rar") returned 4 [0047.756] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0047.757] lstrlenW (lpString=".bz2") returned 4 [0047.757] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0047.757] lstrlenW (lpString=".7z") returned 3 [0047.757] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0047.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.757] lstrlenW (lpString=".dbf") returned 4 [0047.757] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0047.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.757] lstrlenW (lpString=".1cd") returned 4 [0047.757] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0047.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0047.757] lstrlenW (lpString=".jpg") returned 4 [0047.757] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0047.757] lstrcmpiW (lpString1=".ini", lpString2=".NcOv") returned -1 [0047.757] lstrlenW (lpString="Desktop.ini") returned 11 [0047.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.758] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=645) returned 1 [0047.758] CloseHandle (hObject=0x208) returned 1 [0047.758] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0047.758] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.758] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.758] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.758] GetLastError () returned 0x0 [0047.758] ReadFile (in: hFile=0x208, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x285, lpOverlapped=0x0) returned 1 [0047.759] WriteFile (in: hFile=0x1ec, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x290, lpOverlapped=0x0) returned 1 [0047.760] ReadFile (in: hFile=0x208, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.760] WriteFile (in: hFile=0x1ec, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.760] SetEndOfFile (hFile=0x1ec) returned 1 [0047.760] CloseHandle (hObject=0x1ec) returned 1 [0047.761] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.761] SetEndOfFile (hFile=0x208) returned 1 [0047.761] CloseHandle (hObject=0x208) returned 1 [0047.761] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x26) returned 1 [0047.762] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0047.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.762] lstrlenW (lpString=".doc") returned 4 [0047.762] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0047.762] lstrlenW (lpString=".docx") returned 5 [0047.762] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0047.762] lstrlenW (lpString=".pdf") returned 4 [0047.762] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0047.762] lstrlenW (lpString=".xls") returned 4 [0047.762] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0047.762] lstrlenW (lpString=".xlsx") returned 5 [0047.762] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0047.762] lstrlenW (lpString=".ppt") returned 4 [0047.762] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0047.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.762] lstrlenW (lpString=".zip") returned 4 [0047.762] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0047.762] lstrlenW (lpString=".rar") returned 4 [0047.762] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0047.762] lstrlenW (lpString=".bz2") returned 4 [0047.762] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0047.763] lstrlenW (lpString=".7z") returned 3 [0047.763] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0047.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.763] lstrlenW (lpString=".dbf") returned 4 [0047.763] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0047.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.763] lstrlenW (lpString=".1cd") returned 4 [0047.763] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0047.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.763] lstrlenW (lpString=".jpg") returned 4 [0047.763] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0047.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.763] lstrlenW (lpString=".doc") returned 4 [0047.763] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0047.763] lstrlenW (lpString=".docx") returned 5 [0047.763] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0047.763] lstrlenW (lpString=".pdf") returned 4 [0047.763] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0047.763] lstrlenW (lpString=".xls") returned 4 [0047.763] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0047.763] lstrlenW (lpString=".xlsx") returned 5 [0047.763] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0047.763] lstrlenW (lpString=".ppt") returned 4 [0047.763] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0047.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.763] lstrlenW (lpString=".zip") returned 4 [0047.763] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0047.763] lstrlenW (lpString=".rar") returned 4 [0047.763] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0047.763] lstrlenW (lpString=".bz2") returned 4 [0047.763] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0047.763] lstrlenW (lpString=".7z") returned 3 [0047.763] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0047.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.764] lstrlenW (lpString=".dbf") returned 4 [0047.764] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0047.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.764] lstrlenW (lpString=".1cd") returned 4 [0047.764] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0047.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0047.764] lstrlenW (lpString=".jpg") returned 4 [0047.764] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0047.764] lstrcmpiW (lpString1=".emf", lpString2=".NcOv") returned -1 [0047.764] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0047.764] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.764] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=3792) returned 1 [0047.764] CloseHandle (hObject=0x208) returned 1 [0047.764] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf")) returned 0x20 [0047.764] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.764] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.765] lstrlenW (lpString=".doc") returned 4 [0047.765] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0047.765] lstrlenW (lpString=".docx") returned 5 [0047.765] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0047.765] lstrlenW (lpString=".pdf") returned 4 [0047.765] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0047.765] lstrlenW (lpString=".xls") returned 4 [0047.765] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0047.765] lstrlenW (lpString=".xlsx") returned 5 [0047.765] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0047.765] lstrlenW (lpString=".ppt") returned 4 [0047.765] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0047.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.765] lstrlenW (lpString=".zip") returned 4 [0047.765] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0047.765] lstrlenW (lpString=".rar") returned 4 [0047.765] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0047.765] lstrlenW (lpString=".bz2") returned 4 [0047.765] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0047.765] lstrlenW (lpString=".7z") returned 3 [0047.765] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0047.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.765] lstrlenW (lpString=".dbf") returned 4 [0047.765] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0047.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.765] lstrlenW (lpString=".1cd") returned 4 [0047.765] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0047.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.765] lstrlenW (lpString=".jpg") returned 4 [0047.765] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0047.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.765] lstrlenW (lpString=".doc") returned 4 [0047.765] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0047.766] lstrlenW (lpString=".docx") returned 5 [0047.766] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0047.766] lstrlenW (lpString=".pdf") returned 4 [0047.766] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0047.766] lstrlenW (lpString=".xls") returned 4 [0047.766] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0047.766] lstrlenW (lpString=".xlsx") returned 5 [0047.766] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0047.766] lstrlenW (lpString=".ppt") returned 4 [0047.766] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0047.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.766] lstrlenW (lpString=".zip") returned 4 [0047.766] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0047.766] lstrlenW (lpString=".rar") returned 4 [0047.766] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0047.766] lstrlenW (lpString=".bz2") returned 4 [0047.766] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0047.766] lstrlenW (lpString=".7z") returned 3 [0047.766] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0047.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.766] lstrlenW (lpString=".dbf") returned 4 [0047.766] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0047.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.766] lstrlenW (lpString=".1cd") returned 4 [0047.766] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0047.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0047.766] lstrlenW (lpString=".jpg") returned 4 [0047.766] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0047.766] lstrcmpiW (lpString1=".htm", lpString2=".NcOv") returned -1 [0047.766] lstrlenW (lpString="Garden.htm") returned 10 [0047.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.767] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=231) returned 1 [0047.767] CloseHandle (hObject=0x208) returned 1 [0047.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0047.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.767] lstrlenW (lpString=".doc") returned 4 [0047.767] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0047.767] lstrlenW (lpString=".docx") returned 5 [0047.767] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0047.767] lstrlenW (lpString=".pdf") returned 4 [0047.767] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0047.767] lstrlenW (lpString=".xls") returned 4 [0047.767] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0047.767] lstrlenW (lpString=".xlsx") returned 5 [0047.767] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0047.767] lstrlenW (lpString=".ppt") returned 4 [0047.767] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0047.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.767] lstrlenW (lpString=".zip") returned 4 [0047.767] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0047.767] lstrlenW (lpString=".rar") returned 4 [0047.767] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0047.768] lstrlenW (lpString=".bz2") returned 4 [0047.768] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0047.768] lstrlenW (lpString=".7z") returned 3 [0047.768] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0047.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.768] lstrlenW (lpString=".dbf") returned 4 [0047.768] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0047.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.768] lstrlenW (lpString=".1cd") returned 4 [0047.768] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0047.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.768] lstrlenW (lpString=".jpg") returned 4 [0047.768] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0047.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.768] lstrlenW (lpString=".doc") returned 4 [0047.768] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0047.768] lstrlenW (lpString=".docx") returned 5 [0047.768] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0047.768] lstrlenW (lpString=".pdf") returned 4 [0047.768] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0047.768] lstrlenW (lpString=".xls") returned 4 [0047.768] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0047.768] lstrlenW (lpString=".xlsx") returned 5 [0047.768] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0047.768] lstrlenW (lpString=".ppt") returned 4 [0047.768] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0047.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.768] lstrlenW (lpString=".zip") returned 4 [0047.768] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0047.768] lstrlenW (lpString=".rar") returned 4 [0047.768] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0047.768] lstrlenW (lpString=".bz2") returned 4 [0047.768] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0047.768] lstrlenW (lpString=".7z") returned 3 [0047.768] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0047.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.769] lstrlenW (lpString=".dbf") returned 4 [0047.769] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0047.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.769] lstrlenW (lpString=".1cd") returned 4 [0047.769] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0047.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0047.769] lstrlenW (lpString=".jpg") returned 4 [0047.769] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0047.769] lstrcmpiW (lpString1=".jpg", lpString2=".NcOv") returned -1 [0047.769] lstrlenW (lpString="Garden.jpg") returned 10 [0047.769] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.769] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=23871) returned 1 [0047.769] CloseHandle (hObject=0x208) returned 1 [0047.769] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0047.769] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.769] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.770] lstrlenW (lpString=".doc") returned 4 [0047.770] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0047.770] lstrlenW (lpString=".docx") returned 5 [0047.770] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0047.770] lstrlenW (lpString=".pdf") returned 4 [0047.770] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0047.770] lstrlenW (lpString=".xls") returned 4 [0047.770] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0047.770] lstrlenW (lpString=".xlsx") returned 5 [0047.770] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0047.770] lstrlenW (lpString=".ppt") returned 4 [0047.770] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.770] lstrlenW (lpString=".zip") returned 4 [0047.770] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0047.770] lstrlenW (lpString=".rar") returned 4 [0047.770] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0047.770] lstrlenW (lpString=".bz2") returned 4 [0047.770] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0047.770] lstrlenW (lpString=".7z") returned 3 [0047.770] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.770] lstrlenW (lpString=".dbf") returned 4 [0047.770] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.770] lstrlenW (lpString=".1cd") returned 4 [0047.770] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.770] lstrlenW (lpString=".jpg") returned 4 [0047.770] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.770] lstrlenW (lpString=".doc") returned 4 [0047.770] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0047.771] lstrlenW (lpString=".docx") returned 5 [0047.771] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0047.771] lstrlenW (lpString=".pdf") returned 4 [0047.771] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0047.771] lstrlenW (lpString=".xls") returned 4 [0047.771] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0047.771] lstrlenW (lpString=".xlsx") returned 5 [0047.771] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0047.771] lstrlenW (lpString=".ppt") returned 4 [0047.771] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0047.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.771] lstrlenW (lpString=".zip") returned 4 [0047.771] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0047.771] lstrlenW (lpString=".rar") returned 4 [0047.771] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0047.771] lstrlenW (lpString=".bz2") returned 4 [0047.771] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0047.771] lstrlenW (lpString=".7z") returned 3 [0047.771] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0047.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.771] lstrlenW (lpString=".dbf") returned 4 [0047.771] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0047.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.771] lstrlenW (lpString=".1cd") returned 4 [0047.771] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0047.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0047.771] lstrlenW (lpString=".jpg") returned 4 [0047.771] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0047.771] lstrcmpiW (lpString1=".emf", lpString2=".NcOv") returned -1 [0047.771] lstrlenW (lpString="Genko_1.emf") returned 11 [0047.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0048.337] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=5524) returned 1 [0048.337] CloseHandle (hObject=0x1dc) returned 1 [0048.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf")) returned 0x20 [0048.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0048.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.338] lstrlenW (lpString=".doc") returned 4 [0048.338] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0048.338] lstrlenW (lpString=".docx") returned 5 [0048.338] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0048.338] lstrlenW (lpString=".pdf") returned 4 [0048.338] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0048.338] lstrlenW (lpString=".xls") returned 4 [0048.338] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0048.338] lstrlenW (lpString=".xlsx") returned 5 [0048.338] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0048.338] lstrlenW (lpString=".ppt") returned 4 [0048.338] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0048.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.338] lstrlenW (lpString=".zip") returned 4 [0048.338] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0048.338] lstrlenW (lpString=".rar") returned 4 [0048.338] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0048.338] lstrlenW (lpString=".bz2") returned 4 [0048.338] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0048.338] lstrlenW (lpString=".7z") returned 3 [0048.338] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0048.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.338] lstrlenW (lpString=".dbf") returned 4 [0048.338] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0048.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.338] lstrlenW (lpString=".1cd") returned 4 [0048.338] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0048.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.338] lstrlenW (lpString=".jpg") returned 4 [0048.338] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0048.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.339] lstrlenW (lpString=".doc") returned 4 [0048.339] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0048.339] lstrlenW (lpString=".docx") returned 5 [0048.339] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0048.339] lstrlenW (lpString=".pdf") returned 4 [0048.339] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0048.339] lstrlenW (lpString=".xls") returned 4 [0048.339] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0048.339] lstrlenW (lpString=".xlsx") returned 5 [0048.339] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0048.339] lstrlenW (lpString=".ppt") returned 4 [0048.339] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0048.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.339] lstrlenW (lpString=".zip") returned 4 [0048.339] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0048.339] lstrlenW (lpString=".rar") returned 4 [0048.339] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0048.339] lstrlenW (lpString=".bz2") returned 4 [0048.339] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0048.339] lstrlenW (lpString=".7z") returned 3 [0048.339] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0048.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.339] lstrlenW (lpString=".dbf") returned 4 [0048.339] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0048.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.339] lstrlenW (lpString=".1cd") returned 4 [0048.339] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0048.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0048.339] lstrlenW (lpString=".jpg") returned 4 [0048.339] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0048.340] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0048.340] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.040] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=2181) returned 1 [0049.040] CloseHandle (hObject=0x1ec) returned 1 [0049.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 0x20 [0049.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.040] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.040] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.359] GetLastError () returned 0x0 [0049.359] ReadFile (in: hFile=0x1ec, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x885, lpOverlapped=0x0) returned 1 [0049.365] WriteFile (in: hFile=0x210, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x890, lpOverlapped=0x0) returned 1 [0049.369] ReadFile (in: hFile=0x1ec, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.369] WriteFile (in: hFile=0x210, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.369] SetEndOfFile (hFile=0x210) returned 1 [0049.369] CloseHandle (hObject=0x210) returned 1 [0049.370] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.370] SetEndOfFile (hFile=0x1ec) returned 1 [0049.371] CloseHandle (hObject=0x1ec) returned 1 [0049.371] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.371] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 1 [0049.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.372] lstrlenW (lpString=".doc") returned 4 [0049.372] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.372] lstrlenW (lpString=".docx") returned 5 [0049.372] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.372] lstrlenW (lpString=".pdf") returned 4 [0049.372] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.372] lstrlenW (lpString=".xls") returned 4 [0049.372] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.372] lstrlenW (lpString=".xlsx") returned 5 [0049.372] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.372] lstrlenW (lpString=".ppt") returned 4 [0049.372] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.372] lstrlenW (lpString=".zip") returned 4 [0049.372] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.372] lstrlenW (lpString=".rar") returned 4 [0049.372] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.372] lstrlenW (lpString=".bz2") returned 4 [0049.372] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.372] lstrlenW (lpString=".7z") returned 3 [0049.372] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.372] lstrlenW (lpString=".dbf") returned 4 [0049.372] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.372] lstrlenW (lpString=".1cd") returned 4 [0049.372] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.372] lstrlenW (lpString=".jpg") returned 4 [0049.373] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.373] lstrlenW (lpString=".doc") returned 4 [0049.373] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.373] lstrlenW (lpString=".docx") returned 5 [0049.373] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.373] lstrlenW (lpString=".pdf") returned 4 [0049.373] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.373] lstrlenW (lpString=".xls") returned 4 [0049.373] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.373] lstrlenW (lpString=".xlsx") returned 5 [0049.373] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.373] lstrlenW (lpString=".ppt") returned 4 [0049.373] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.373] lstrlenW (lpString=".zip") returned 4 [0049.373] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.373] lstrlenW (lpString=".rar") returned 4 [0049.373] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.373] lstrlenW (lpString=".bz2") returned 4 [0049.373] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.373] lstrlenW (lpString=".7z") returned 3 [0049.373] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.373] lstrlenW (lpString=".dbf") returned 4 [0049.373] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.374] lstrlenW (lpString=".1cd") returned 4 [0049.374] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.374] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0049.374] lstrlenW (lpString=".jpg") returned 4 [0049.374] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.374] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0049.374] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0049.374] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.374] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1363) returned 1 [0049.374] CloseHandle (hObject=0x1ec) returned 1 [0049.375] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 0x20 [0049.375] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.375] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.375] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.375] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.375] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.377] GetLastError () returned 0x0 [0049.377] ReadFile (in: hFile=0x1ec, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x553, lpOverlapped=0x0) returned 1 [0049.379] WriteFile (in: hFile=0x210, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x560, lpOverlapped=0x0) returned 1 [0049.381] ReadFile (in: hFile=0x1ec, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.381] WriteFile (in: hFile=0x210, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.381] SetEndOfFile (hFile=0x210) returned 1 [0049.381] CloseHandle (hObject=0x210) returned 1 [0049.381] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.381] SetEndOfFile (hFile=0x1ec) returned 1 [0049.382] CloseHandle (hObject=0x1ec) returned 1 [0049.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.383] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 1 [0049.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.383] lstrlenW (lpString=".doc") returned 4 [0049.383] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.383] lstrlenW (lpString=".docx") returned 5 [0049.383] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.383] lstrlenW (lpString=".pdf") returned 4 [0049.383] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.383] lstrlenW (lpString=".xls") returned 4 [0049.383] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.383] lstrlenW (lpString=".xlsx") returned 5 [0049.384] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.384] lstrlenW (lpString=".ppt") returned 4 [0049.384] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.384] lstrlenW (lpString=".zip") returned 4 [0049.384] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.384] lstrlenW (lpString=".rar") returned 4 [0049.384] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.384] lstrlenW (lpString=".bz2") returned 4 [0049.384] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.384] lstrlenW (lpString=".7z") returned 3 [0049.384] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.384] lstrlenW (lpString=".dbf") returned 4 [0049.384] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.384] lstrlenW (lpString=".1cd") returned 4 [0049.384] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.384] lstrlenW (lpString=".jpg") returned 4 [0049.384] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.384] lstrlenW (lpString=".doc") returned 4 [0049.384] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.384] lstrlenW (lpString=".docx") returned 5 [0049.384] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.384] lstrlenW (lpString=".pdf") returned 4 [0049.385] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.385] lstrlenW (lpString=".xls") returned 4 [0049.385] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.385] lstrlenW (lpString=".xlsx") returned 5 [0049.385] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.385] lstrlenW (lpString=".ppt") returned 4 [0049.385] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.385] lstrlenW (lpString=".zip") returned 4 [0049.385] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.385] lstrlenW (lpString=".rar") returned 4 [0049.385] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.385] lstrlenW (lpString=".bz2") returned 4 [0049.385] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.385] lstrlenW (lpString=".7z") returned 3 [0049.385] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.385] lstrlenW (lpString=".dbf") returned 4 [0049.385] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.385] lstrlenW (lpString=".1cd") returned 4 [0049.385] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0049.385] lstrlenW (lpString=".jpg") returned 4 [0049.385] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.386] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0049.386] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.386] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=20371) returned 1 [0049.386] CloseHandle (hObject=0x1ec) returned 1 [0049.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 0x20 [0049.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.387] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.387] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.387] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.387] GetLastError () returned 0x0 [0049.387] ReadFile (in: hFile=0x1ec, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x4f93, lpOverlapped=0x0) returned 1 [0049.390] WriteFile (in: hFile=0x210, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x4fa0, lpOverlapped=0x0) returned 1 [0049.391] ReadFile (in: hFile=0x1ec, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.391] WriteFile (in: hFile=0x210, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.392] SetEndOfFile (hFile=0x210) returned 1 [0049.392] CloseHandle (hObject=0x210) returned 1 [0049.392] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.392] SetEndOfFile (hFile=0x1ec) returned 1 [0049.393] CloseHandle (hObject=0x1ec) returned 1 [0049.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.393] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 1 [0049.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.394] lstrlenW (lpString=".doc") returned 4 [0049.394] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.394] lstrlenW (lpString=".docx") returned 5 [0049.394] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.394] lstrlenW (lpString=".pdf") returned 4 [0049.394] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.394] lstrlenW (lpString=".xls") returned 4 [0049.394] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.394] lstrlenW (lpString=".xlsx") returned 5 [0049.394] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.394] lstrlenW (lpString=".ppt") returned 4 [0049.394] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.394] lstrlenW (lpString=".zip") returned 4 [0049.394] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.394] lstrlenW (lpString=".rar") returned 4 [0049.394] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.394] lstrlenW (lpString=".bz2") returned 4 [0049.394] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.395] lstrlenW (lpString=".7z") returned 3 [0049.395] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.395] lstrlenW (lpString=".dbf") returned 4 [0049.395] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.395] lstrlenW (lpString=".1cd") returned 4 [0049.395] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.395] lstrlenW (lpString=".jpg") returned 4 [0049.395] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.395] lstrlenW (lpString=".doc") returned 4 [0049.395] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.395] lstrlenW (lpString=".docx") returned 5 [0049.395] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.395] lstrlenW (lpString=".pdf") returned 4 [0049.395] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.395] lstrlenW (lpString=".xls") returned 4 [0049.395] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.395] lstrlenW (lpString=".xlsx") returned 5 [0049.395] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.395] lstrlenW (lpString=".ppt") returned 4 [0049.395] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.395] lstrlenW (lpString=".zip") returned 4 [0049.395] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.396] lstrlenW (lpString=".rar") returned 4 [0049.396] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.396] lstrlenW (lpString=".bz2") returned 4 [0049.396] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.396] lstrlenW (lpString=".7z") returned 3 [0049.396] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.396] lstrlenW (lpString=".dbf") returned 4 [0049.396] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.396] lstrlenW (lpString=".1cd") returned 4 [0049.396] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0049.396] lstrlenW (lpString=".jpg") returned 4 [0049.396] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.048] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0050.049] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0050.049] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.929] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=60724) returned 1 [0050.929] CloseHandle (hObject=0x1dc) returned 1 [0050.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 0x20 [0050.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.929] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.929] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.930] GetLastError () returned 0x0 [0050.930] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0xed34, lpOverlapped=0x0) returned 1 [0050.952] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xed40, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xed40, lpOverlapped=0x0) returned 1 [0050.954] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.954] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.955] SetEndOfFile (hFile=0x188) returned 1 [0050.955] CloseHandle (hObject=0x188) returned 1 [0050.955] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.955] SetEndOfFile (hFile=0x1dc) returned 1 [0050.956] CloseHandle (hObject=0x1dc) returned 1 [0050.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.957] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 1 [0050.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.957] lstrlenW (lpString=".doc") returned 4 [0050.957] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.957] lstrlenW (lpString=".docx") returned 5 [0050.957] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.957] lstrlenW (lpString=".pdf") returned 4 [0050.957] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.957] lstrlenW (lpString=".xls") returned 4 [0050.957] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.957] lstrlenW (lpString=".xlsx") returned 5 [0050.957] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.957] lstrlenW (lpString=".ppt") returned 4 [0050.957] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.957] lstrlenW (lpString=".zip") returned 4 [0050.957] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.957] lstrlenW (lpString=".rar") returned 4 [0050.957] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.957] lstrlenW (lpString=".bz2") returned 4 [0050.957] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.957] lstrlenW (lpString=".7z") returned 3 [0050.958] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.958] lstrlenW (lpString=".dbf") returned 4 [0050.958] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.958] lstrlenW (lpString=".1cd") returned 4 [0050.958] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.958] lstrlenW (lpString=".jpg") returned 4 [0050.958] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.958] lstrlenW (lpString=".doc") returned 4 [0050.958] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.958] lstrlenW (lpString=".docx") returned 5 [0050.958] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.958] lstrlenW (lpString=".pdf") returned 4 [0050.958] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.958] lstrlenW (lpString=".xls") returned 4 [0050.958] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.958] lstrlenW (lpString=".xlsx") returned 5 [0050.958] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.958] lstrlenW (lpString=".ppt") returned 4 [0050.958] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.958] lstrlenW (lpString=".zip") returned 4 [0050.958] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.958] lstrlenW (lpString=".rar") returned 4 [0050.958] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.958] lstrlenW (lpString=".bz2") returned 4 [0050.958] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.958] lstrlenW (lpString=".7z") returned 3 [0050.958] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.958] lstrlenW (lpString=".dbf") returned 4 [0050.958] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.959] lstrlenW (lpString=".1cd") returned 4 [0050.959] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0050.959] lstrlenW (lpString=".jpg") returned 4 [0050.959] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.959] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0050.959] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0050.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.963] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=44850) returned 1 [0050.963] CloseHandle (hObject=0x1dc) returned 1 [0050.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 0x20 [0050.964] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.964] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.964] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.964] GetLastError () returned 0x0 [0050.964] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0xaf32, lpOverlapped=0x0) returned 1 [0050.968] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xaf40, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xaf40, lpOverlapped=0x0) returned 1 [0050.969] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.969] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.970] SetEndOfFile (hFile=0x188) returned 1 [0050.970] CloseHandle (hObject=0x188) returned 1 [0050.970] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.970] SetEndOfFile (hFile=0x1dc) returned 1 [0050.971] CloseHandle (hObject=0x1dc) returned 1 [0050.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.972] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 1 [0050.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.972] lstrlenW (lpString=".doc") returned 4 [0050.972] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.972] lstrlenW (lpString=".docx") returned 5 [0050.972] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.972] lstrlenW (lpString=".pdf") returned 4 [0050.972] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.972] lstrlenW (lpString=".xls") returned 4 [0050.972] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.972] lstrlenW (lpString=".xlsx") returned 5 [0050.972] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.972] lstrlenW (lpString=".ppt") returned 4 [0050.972] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.972] lstrlenW (lpString=".zip") returned 4 [0050.972] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.973] lstrlenW (lpString=".rar") returned 4 [0050.973] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.973] lstrlenW (lpString=".bz2") returned 4 [0050.973] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.973] lstrlenW (lpString=".7z") returned 3 [0050.973] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.973] lstrlenW (lpString=".dbf") returned 4 [0050.973] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.973] lstrlenW (lpString=".1cd") returned 4 [0050.973] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.973] lstrlenW (lpString=".jpg") returned 4 [0050.973] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.973] lstrlenW (lpString=".doc") returned 4 [0050.973] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.973] lstrlenW (lpString=".docx") returned 5 [0050.973] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.973] lstrlenW (lpString=".pdf") returned 4 [0050.973] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.973] lstrlenW (lpString=".xls") returned 4 [0050.973] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.973] lstrlenW (lpString=".xlsx") returned 5 [0050.973] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.973] lstrlenW (lpString=".ppt") returned 4 [0050.973] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.973] lstrlenW (lpString=".zip") returned 4 [0050.973] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.973] lstrlenW (lpString=".rar") returned 4 [0050.973] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.973] lstrlenW (lpString=".bz2") returned 4 [0050.974] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.974] lstrlenW (lpString=".7z") returned 3 [0050.974] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.974] lstrlenW (lpString=".dbf") returned 4 [0050.974] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.974] lstrlenW (lpString=".1cd") returned 4 [0050.974] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0050.974] lstrlenW (lpString=".jpg") returned 4 [0050.974] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.974] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0050.974] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0050.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.974] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1379) returned 1 [0050.974] CloseHandle (hObject=0x1dc) returned 1 [0050.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 0x20 [0050.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.975] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.975] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.975] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.975] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.977] GetLastError () returned 0x0 [0050.977] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x563, lpOverlapped=0x0) returned 1 [0050.979] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x570, lpOverlapped=0x0) returned 1 [0050.980] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.980] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.980] SetEndOfFile (hFile=0x188) returned 1 [0050.980] CloseHandle (hObject=0x188) returned 1 [0050.980] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.980] SetEndOfFile (hFile=0x1dc) returned 1 [0050.981] CloseHandle (hObject=0x1dc) returned 1 [0050.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.982] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 1 [0050.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.982] lstrlenW (lpString=".doc") returned 4 [0050.982] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.982] lstrlenW (lpString=".docx") returned 5 [0050.982] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0050.982] lstrlenW (lpString=".pdf") returned 4 [0050.982] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString=".xls") returned 4 [0050.982] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString=".xlsx") returned 5 [0050.982] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0050.982] lstrlenW (lpString=".ppt") returned 4 [0050.982] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.982] lstrlenW (lpString=".zip") returned 4 [0050.982] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString=".rar") returned 4 [0050.982] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString=".bz2") returned 4 [0050.982] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.982] lstrlenW (lpString=".7z") returned 3 [0050.982] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.982] lstrlenW (lpString=".dbf") returned 4 [0050.982] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.982] lstrlenW (lpString=".1cd") returned 4 [0050.983] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.983] lstrlenW (lpString=".jpg") returned 4 [0050.983] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.983] lstrlenW (lpString=".doc") returned 4 [0050.983] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.983] lstrlenW (lpString=".docx") returned 5 [0050.983] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0050.983] lstrlenW (lpString=".pdf") returned 4 [0050.983] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.983] lstrlenW (lpString=".xls") returned 4 [0050.983] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.983] lstrlenW (lpString=".xlsx") returned 5 [0050.983] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0050.983] lstrlenW (lpString=".ppt") returned 4 [0050.983] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.983] lstrlenW (lpString=".zip") returned 4 [0050.983] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.983] lstrlenW (lpString=".rar") returned 4 [0050.983] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.983] lstrlenW (lpString=".bz2") returned 4 [0050.983] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.983] lstrlenW (lpString=".7z") returned 3 [0050.983] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.983] lstrlenW (lpString=".dbf") returned 4 [0050.983] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.983] lstrlenW (lpString=".1cd") returned 4 [0050.983] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0050.983] lstrlenW (lpString=".jpg") returned 4 [0050.983] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.984] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0050.984] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0050.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.984] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=48115) returned 1 [0050.984] CloseHandle (hObject=0x1dc) returned 1 [0050.984] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 0x20 [0050.984] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.984] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.985] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.985] GetLastError () returned 0x0 [0050.985] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0xbbf3, lpOverlapped=0x0) returned 1 [0051.145] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xbc00, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xbc00, lpOverlapped=0x0) returned 1 [0051.146] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.146] WriteFile (in: hFile=0x188, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.146] SetEndOfFile (hFile=0x188) returned 1 [0051.147] CloseHandle (hObject=0x188) returned 1 [0051.147] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.147] SetEndOfFile (hFile=0x1dc) returned 1 [0051.148] CloseHandle (hObject=0x1dc) returned 1 [0051.148] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.148] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 1 [0051.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.148] lstrlenW (lpString=".doc") returned 4 [0051.148] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.148] lstrlenW (lpString=".docx") returned 5 [0051.149] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.149] lstrlenW (lpString=".pdf") returned 4 [0051.149] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.149] lstrlenW (lpString=".xls") returned 4 [0051.149] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.149] lstrlenW (lpString=".xlsx") returned 5 [0051.149] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.149] lstrlenW (lpString=".ppt") returned 4 [0051.149] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.149] lstrlenW (lpString=".zip") returned 4 [0051.149] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.149] lstrlenW (lpString=".rar") returned 4 [0051.149] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.149] lstrlenW (lpString=".bz2") returned 4 [0051.149] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.149] lstrlenW (lpString=".7z") returned 3 [0051.149] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.149] lstrlenW (lpString=".dbf") returned 4 [0051.149] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.149] lstrlenW (lpString=".1cd") returned 4 [0051.149] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.149] lstrlenW (lpString=".jpg") returned 4 [0051.149] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.149] lstrlenW (lpString=".doc") returned 4 [0051.149] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.149] lstrlenW (lpString=".docx") returned 5 [0051.149] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.149] lstrlenW (lpString=".pdf") returned 4 [0051.149] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.150] lstrlenW (lpString=".xls") returned 4 [0051.150] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.150] lstrlenW (lpString=".xlsx") returned 5 [0051.150] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.150] lstrlenW (lpString=".ppt") returned 4 [0051.150] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.150] lstrlenW (lpString=".zip") returned 4 [0051.150] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.150] lstrlenW (lpString=".rar") returned 4 [0051.150] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.150] lstrlenW (lpString=".bz2") returned 4 [0051.150] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.150] lstrlenW (lpString=".7z") returned 3 [0051.150] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.150] lstrlenW (lpString=".dbf") returned 4 [0051.150] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.150] lstrlenW (lpString=".1cd") returned 4 [0051.150] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0051.150] lstrlenW (lpString=".jpg") returned 4 [0051.150] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.150] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0051.150] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0051.150] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.151] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1364) returned 1 [0051.151] CloseHandle (hObject=0x1dc) returned 1 [0051.151] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 0x20 [0051.151] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.151] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.151] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.151] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.151] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.535] GetLastError () returned 0x0 [0051.535] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x554, lpOverlapped=0x0) returned 1 [0051.544] WriteFile (in: hFile=0x204, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x560, lpOverlapped=0x0) returned 1 [0051.546] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.546] WriteFile (in: hFile=0x204, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.546] SetEndOfFile (hFile=0x204) returned 1 [0051.546] CloseHandle (hObject=0x204) returned 1 [0051.546] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.547] SetEndOfFile (hFile=0x1dc) returned 1 [0051.547] CloseHandle (hObject=0x1dc) returned 1 [0051.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.555] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 1 [0051.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.556] lstrlenW (lpString=".doc") returned 4 [0051.556] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.556] lstrlenW (lpString=".docx") returned 5 [0051.556] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.556] lstrlenW (lpString=".pdf") returned 4 [0051.556] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.556] lstrlenW (lpString=".xls") returned 4 [0051.556] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.556] lstrlenW (lpString=".xlsx") returned 5 [0051.556] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.556] lstrlenW (lpString=".ppt") returned 4 [0051.556] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.556] lstrlenW (lpString=".zip") returned 4 [0051.556] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.556] lstrlenW (lpString=".rar") returned 4 [0051.556] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.556] lstrlenW (lpString=".bz2") returned 4 [0051.556] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.556] lstrlenW (lpString=".7z") returned 3 [0051.556] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.556] lstrlenW (lpString=".dbf") returned 4 [0051.556] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.556] lstrlenW (lpString=".1cd") returned 4 [0051.557] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.557] lstrlenW (lpString=".jpg") returned 4 [0051.557] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.557] lstrlenW (lpString=".doc") returned 4 [0051.557] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.557] lstrlenW (lpString=".docx") returned 5 [0051.557] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.557] lstrlenW (lpString=".pdf") returned 4 [0051.557] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.557] lstrlenW (lpString=".xls") returned 4 [0051.557] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.557] lstrlenW (lpString=".xlsx") returned 5 [0051.557] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.557] lstrlenW (lpString=".ppt") returned 4 [0051.557] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.557] lstrlenW (lpString=".zip") returned 4 [0051.557] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.557] lstrlenW (lpString=".rar") returned 4 [0051.557] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.557] lstrlenW (lpString=".bz2") returned 4 [0051.557] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.557] lstrlenW (lpString=".7z") returned 3 [0051.557] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.558] lstrlenW (lpString=".dbf") returned 4 [0051.558] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.558] lstrlenW (lpString=".1cd") returned 4 [0051.558] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0051.558] lstrlenW (lpString=".jpg") returned 4 [0051.558] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.558] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0051.558] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0051.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.558] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=1423) returned 1 [0051.559] CloseHandle (hObject=0x1dc) returned 1 [0051.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 0x20 [0051.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.559] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.559] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.559] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.559] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.565] GetLastError () returned 0x0 [0051.565] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x58f, lpOverlapped=0x0) returned 1 [0051.581] WriteFile (in: hFile=0x204, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x590, lpOverlapped=0x0) returned 1 [0051.582] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.582] WriteFile (in: hFile=0x204, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.582] SetEndOfFile (hFile=0x204) returned 1 [0051.582] CloseHandle (hObject=0x204) returned 1 [0051.583] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.583] SetEndOfFile (hFile=0x1dc) returned 1 [0051.583] CloseHandle (hObject=0x1dc) returned 1 [0051.583] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.584] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 1 [0051.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.584] lstrlenW (lpString=".doc") returned 4 [0051.584] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.584] lstrlenW (lpString=".docx") returned 5 [0051.584] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.584] lstrlenW (lpString=".pdf") returned 4 [0051.584] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.584] lstrlenW (lpString=".xls") returned 4 [0051.584] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.584] lstrlenW (lpString=".xlsx") returned 5 [0051.584] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.584] lstrlenW (lpString=".ppt") returned 4 [0051.584] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.584] lstrlenW (lpString=".zip") returned 4 [0051.584] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.584] lstrlenW (lpString=".rar") returned 4 [0051.584] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.585] lstrlenW (lpString=".bz2") returned 4 [0051.585] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.585] lstrlenW (lpString=".7z") returned 3 [0051.585] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.585] lstrlenW (lpString=".dbf") returned 4 [0051.585] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.585] lstrlenW (lpString=".1cd") returned 4 [0051.585] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.585] lstrlenW (lpString=".jpg") returned 4 [0051.585] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.585] lstrlenW (lpString=".doc") returned 4 [0051.585] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.585] lstrlenW (lpString=".docx") returned 5 [0051.585] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.585] lstrlenW (lpString=".pdf") returned 4 [0051.585] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.585] lstrlenW (lpString=".xls") returned 4 [0051.585] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.585] lstrlenW (lpString=".xlsx") returned 5 [0051.585] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.585] lstrlenW (lpString=".ppt") returned 4 [0051.585] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.585] lstrlenW (lpString=".zip") returned 4 [0051.585] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.585] lstrlenW (lpString=".rar") returned 4 [0051.585] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.585] lstrlenW (lpString=".bz2") returned 4 [0051.585] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.585] lstrlenW (lpString=".7z") returned 3 [0051.586] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.586] lstrlenW (lpString=".dbf") returned 4 [0051.586] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.586] lstrlenW (lpString=".1cd") returned 4 [0051.586] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0051.586] lstrlenW (lpString=".jpg") returned 4 [0051.586] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.586] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.586] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.586] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.586] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=15737) returned 1 [0051.586] CloseHandle (hObject=0x1dc) returned 1 [0051.586] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 0x20 [0051.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.587] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.587] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.587] GetLastError () returned 0x0 [0051.587] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x3d79, lpOverlapped=0x0) returned 1 [0051.590] WriteFile (in: hFile=0x204, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0051.591] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.591] WriteFile (in: hFile=0x204, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.591] SetEndOfFile (hFile=0x204) returned 1 [0051.591] CloseHandle (hObject=0x204) returned 1 [0051.591] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.591] SetEndOfFile (hFile=0x1dc) returned 1 [0051.592] CloseHandle (hObject=0x1dc) returned 1 [0051.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.593] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 1 [0051.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.593] lstrlenW (lpString=".doc") returned 4 [0051.593] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.593] lstrlenW (lpString=".docx") returned 5 [0051.593] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.593] lstrlenW (lpString=".pdf") returned 4 [0051.593] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.593] lstrlenW (lpString=".xls") returned 4 [0051.593] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.593] lstrlenW (lpString=".xlsx") returned 5 [0051.593] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.593] lstrlenW (lpString=".ppt") returned 4 [0051.593] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.593] lstrlenW (lpString=".zip") returned 4 [0051.593] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.593] lstrlenW (lpString=".rar") returned 4 [0051.593] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.593] lstrlenW (lpString=".bz2") returned 4 [0051.593] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.593] lstrlenW (lpString=".7z") returned 3 [0051.594] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.594] lstrlenW (lpString=".dbf") returned 4 [0051.594] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.594] lstrlenW (lpString=".1cd") returned 4 [0051.594] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.594] lstrlenW (lpString=".jpg") returned 4 [0051.594] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.594] lstrlenW (lpString=".doc") returned 4 [0051.594] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.594] lstrlenW (lpString=".docx") returned 5 [0051.594] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.594] lstrlenW (lpString=".pdf") returned 4 [0051.594] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.594] lstrlenW (lpString=".xls") returned 4 [0051.594] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.594] lstrlenW (lpString=".xlsx") returned 5 [0051.594] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.594] lstrlenW (lpString=".ppt") returned 4 [0051.594] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.594] lstrlenW (lpString=".zip") returned 4 [0051.594] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.595] lstrlenW (lpString=".rar") returned 4 [0051.595] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.595] lstrlenW (lpString=".bz2") returned 4 [0051.595] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.595] lstrlenW (lpString=".7z") returned 3 [0051.595] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.595] lstrlenW (lpString=".dbf") returned 4 [0051.595] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.595] lstrlenW (lpString=".1cd") returned 4 [0051.595] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0051.595] lstrlenW (lpString=".jpg") returned 4 [0051.595] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.595] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0051.595] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0051.595] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.892] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=3970) returned 1 [0051.892] CloseHandle (hObject=0x1dc) returned 1 [0051.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 0x20 [0051.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.893] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.893] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.893] GetLastError () returned 0x0 [0051.893] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0xf82, lpOverlapped=0x0) returned 1 [0051.896] WriteFile (in: hFile=0x20c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xf90, lpOverlapped=0x0) returned 1 [0051.897] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.897] WriteFile (in: hFile=0x20c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.897] SetEndOfFile (hFile=0x20c) returned 1 [0051.897] CloseHandle (hObject=0x20c) returned 1 [0051.897] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.897] SetEndOfFile (hFile=0x1dc) returned 1 [0051.898] CloseHandle (hObject=0x1dc) returned 1 [0051.898] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.898] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 1 [0051.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.898] lstrlenW (lpString=".doc") returned 4 [0051.899] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.899] lstrlenW (lpString=".docx") returned 5 [0051.899] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.899] lstrlenW (lpString=".pdf") returned 4 [0051.899] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.899] lstrlenW (lpString=".xls") returned 4 [0051.899] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.899] lstrlenW (lpString=".xlsx") returned 5 [0051.899] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.899] lstrlenW (lpString=".ppt") returned 4 [0051.899] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.899] lstrlenW (lpString=".zip") returned 4 [0051.899] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.899] lstrlenW (lpString=".rar") returned 4 [0051.899] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.899] lstrlenW (lpString=".bz2") returned 4 [0051.899] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.899] lstrlenW (lpString=".7z") returned 3 [0051.899] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.899] lstrlenW (lpString=".dbf") returned 4 [0051.899] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.899] lstrlenW (lpString=".1cd") returned 4 [0051.899] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.899] lstrlenW (lpString=".jpg") returned 4 [0051.899] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.900] lstrlenW (lpString=".doc") returned 4 [0051.900] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.900] lstrlenW (lpString=".docx") returned 5 [0051.900] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.900] lstrlenW (lpString=".pdf") returned 4 [0051.900] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.900] lstrlenW (lpString=".xls") returned 4 [0051.900] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.900] lstrlenW (lpString=".xlsx") returned 5 [0051.900] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.900] lstrlenW (lpString=".ppt") returned 4 [0051.900] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.900] lstrlenW (lpString=".zip") returned 4 [0051.900] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.900] lstrlenW (lpString=".rar") returned 4 [0051.900] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.900] lstrlenW (lpString=".bz2") returned 4 [0051.900] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.900] lstrlenW (lpString=".7z") returned 3 [0051.900] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.900] lstrlenW (lpString=".dbf") returned 4 [0051.900] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.900] lstrlenW (lpString=".1cd") returned 4 [0051.901] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0051.901] lstrlenW (lpString=".jpg") returned 4 [0051.901] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.901] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0051.901] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0051.901] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.902] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=3611) returned 1 [0051.902] CloseHandle (hObject=0x1dc) returned 1 [0051.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 0x20 [0051.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.902] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.902] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.905] GetLastError () returned 0x0 [0051.905] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0xe1b, lpOverlapped=0x0) returned 1 [0051.908] WriteFile (in: hFile=0x20c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe20, lpOverlapped=0x0) returned 1 [0051.909] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.909] WriteFile (in: hFile=0x20c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.909] SetEndOfFile (hFile=0x20c) returned 1 [0051.909] CloseHandle (hObject=0x20c) returned 1 [0051.909] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.910] SetEndOfFile (hFile=0x1dc) returned 1 [0051.911] CloseHandle (hObject=0x1dc) returned 1 [0051.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.911] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 1 [0051.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.911] lstrlenW (lpString=".doc") returned 4 [0051.912] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.912] lstrlenW (lpString=".docx") returned 5 [0051.912] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.912] lstrlenW (lpString=".pdf") returned 4 [0051.912] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.912] lstrlenW (lpString=".xls") returned 4 [0051.912] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.912] lstrlenW (lpString=".xlsx") returned 5 [0051.912] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.912] lstrlenW (lpString=".ppt") returned 4 [0051.912] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.912] lstrlenW (lpString=".zip") returned 4 [0051.912] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.912] lstrlenW (lpString=".rar") returned 4 [0051.912] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.912] lstrlenW (lpString=".bz2") returned 4 [0051.912] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.912] lstrlenW (lpString=".7z") returned 3 [0051.912] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.912] lstrlenW (lpString=".dbf") returned 4 [0051.912] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.912] lstrlenW (lpString=".1cd") returned 4 [0051.912] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.912] lstrlenW (lpString=".jpg") returned 4 [0051.912] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.913] lstrlenW (lpString=".doc") returned 4 [0051.913] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.913] lstrlenW (lpString=".docx") returned 5 [0051.913] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.913] lstrlenW (lpString=".pdf") returned 4 [0051.913] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.913] lstrlenW (lpString=".xls") returned 4 [0051.913] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.913] lstrlenW (lpString=".xlsx") returned 5 [0051.913] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.913] lstrlenW (lpString=".ppt") returned 4 [0051.913] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.913] lstrlenW (lpString=".zip") returned 4 [0051.913] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.913] lstrlenW (lpString=".rar") returned 4 [0051.913] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.913] lstrlenW (lpString=".bz2") returned 4 [0051.913] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.913] lstrlenW (lpString=".7z") returned 3 [0051.913] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.913] lstrlenW (lpString=".dbf") returned 4 [0051.914] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.914] lstrlenW (lpString=".1cd") returned 4 [0051.914] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0051.914] lstrlenW (lpString=".jpg") returned 4 [0051.914] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.914] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.914] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.915] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=34163) returned 1 [0051.915] CloseHandle (hObject=0x1dc) returned 1 [0051.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 0x20 [0051.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.915] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.915] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.915] GetLastError () returned 0x0 [0051.915] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x8573, lpOverlapped=0x0) returned 1 [0051.918] WriteFile (in: hFile=0x20c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x8580, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x8580, lpOverlapped=0x0) returned 1 [0051.920] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.920] WriteFile (in: hFile=0x20c, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.920] SetEndOfFile (hFile=0x20c) returned 1 [0051.920] CloseHandle (hObject=0x20c) returned 1 [0051.920] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.920] SetEndOfFile (hFile=0x1dc) returned 1 [0051.921] CloseHandle (hObject=0x1dc) returned 1 [0051.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.922] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 1 [0051.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.922] lstrlenW (lpString=".doc") returned 4 [0051.922] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.922] lstrlenW (lpString=".docx") returned 5 [0051.922] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.922] lstrlenW (lpString=".pdf") returned 4 [0051.922] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.922] lstrlenW (lpString=".xls") returned 4 [0051.922] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.922] lstrlenW (lpString=".xlsx") returned 5 [0051.922] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.922] lstrlenW (lpString=".ppt") returned 4 [0051.922] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.922] lstrlenW (lpString=".zip") returned 4 [0051.922] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.922] lstrlenW (lpString=".rar") returned 4 [0051.922] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.922] lstrlenW (lpString=".bz2") returned 4 [0051.923] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.923] lstrlenW (lpString=".7z") returned 3 [0051.923] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.923] lstrlenW (lpString=".dbf") returned 4 [0051.923] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.923] lstrlenW (lpString=".1cd") returned 4 [0051.923] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.923] lstrlenW (lpString=".jpg") returned 4 [0051.923] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.923] lstrlenW (lpString=".doc") returned 4 [0051.923] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.923] lstrlenW (lpString=".docx") returned 5 [0051.923] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.923] lstrlenW (lpString=".pdf") returned 4 [0051.923] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.923] lstrlenW (lpString=".xls") returned 4 [0051.923] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.923] lstrlenW (lpString=".xlsx") returned 5 [0051.923] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.923] lstrlenW (lpString=".ppt") returned 4 [0051.923] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.923] lstrlenW (lpString=".zip") returned 4 [0051.923] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.923] lstrlenW (lpString=".rar") returned 4 [0051.923] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.923] lstrlenW (lpString=".bz2") returned 4 [0051.923] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.924] lstrlenW (lpString=".7z") returned 3 [0051.924] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.924] lstrlenW (lpString=".dbf") returned 4 [0051.924] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.924] lstrlenW (lpString=".1cd") returned 4 [0051.924] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0051.924] lstrlenW (lpString=".jpg") returned 4 [0051.924] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.924] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0051.924] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0051.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.924] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=937) returned 1 [0051.924] CloseHandle (hObject=0x1dc) returned 1 [0051.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 0x20 [0051.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.925] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.925] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.246] GetLastError () returned 0x0 [0053.246] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x3a9, lpOverlapped=0x0) returned 1 [0053.253] WriteFile (in: hFile=0x1a0, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x3b0, lpOverlapped=0x0) returned 1 [0053.255] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.255] WriteFile (in: hFile=0x1a0, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.255] SetEndOfFile (hFile=0x1a0) returned 1 [0053.264] CloseHandle (hObject=0x1a0) returned 1 [0053.265] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.265] SetEndOfFile (hFile=0x1dc) returned 1 [0053.266] CloseHandle (hObject=0x1dc) returned 1 [0053.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0053.267] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 1 [0053.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.267] lstrlenW (lpString=".doc") returned 4 [0053.267] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.267] lstrlenW (lpString=".docx") returned 5 [0053.267] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0053.267] lstrlenW (lpString=".pdf") returned 4 [0053.267] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.267] lstrlenW (lpString=".xls") returned 4 [0053.268] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.268] lstrlenW (lpString=".xlsx") returned 5 [0053.268] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0053.268] lstrlenW (lpString=".ppt") returned 4 [0053.268] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.268] lstrlenW (lpString=".zip") returned 4 [0053.268] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.268] lstrlenW (lpString=".rar") returned 4 [0053.268] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.268] lstrlenW (lpString=".bz2") returned 4 [0053.268] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.268] lstrlenW (lpString=".7z") returned 3 [0053.268] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.268] lstrlenW (lpString=".dbf") returned 4 [0053.268] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.268] lstrlenW (lpString=".1cd") returned 4 [0053.268] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.268] lstrlenW (lpString=".jpg") returned 4 [0053.268] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.269] lstrlenW (lpString=".doc") returned 4 [0053.269] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.269] lstrlenW (lpString=".docx") returned 5 [0053.269] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0053.269] lstrlenW (lpString=".pdf") returned 4 [0053.269] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.269] lstrlenW (lpString=".xls") returned 4 [0053.269] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.269] lstrlenW (lpString=".xlsx") returned 5 [0053.269] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0053.269] lstrlenW (lpString=".ppt") returned 4 [0053.269] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.269] lstrlenW (lpString=".zip") returned 4 [0053.269] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.269] lstrlenW (lpString=".rar") returned 4 [0053.269] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.269] lstrlenW (lpString=".bz2") returned 4 [0053.269] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.269] lstrlenW (lpString=".7z") returned 3 [0053.269] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.269] lstrlenW (lpString=".dbf") returned 4 [0053.269] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.269] lstrlenW (lpString=".1cd") returned 4 [0053.269] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0053.270] lstrlenW (lpString=".jpg") returned 4 [0053.270] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.270] lstrcmpiW (lpString1=".CHM", lpString2=".NcOv") returned -1 [0053.270] lstrlenW (lpString="VBOB6.CHM") returned 9 [0053.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0053.270] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=123956) returned 1 [0053.270] CloseHandle (hObject=0x1dc) returned 1 [0053.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 0x20 [0053.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0053.271] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.271] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.272] GetLastError () returned 0x0 [0053.272] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x1e434, lpOverlapped=0x0) returned 1 [0053.299] WriteFile (in: hFile=0x1a0, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x1e440, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x1e440, lpOverlapped=0x0) returned 1 [0053.304] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.304] WriteFile (in: hFile=0x1a0, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.304] SetEndOfFile (hFile=0x1a0) returned 1 [0053.304] CloseHandle (hObject=0x1a0) returned 1 [0053.304] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.304] SetEndOfFile (hFile=0x1dc) returned 1 [0053.306] CloseHandle (hObject=0x1dc) returned 1 [0053.306] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0053.307] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 1 [0053.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.307] lstrlenW (lpString=".doc") returned 4 [0053.307] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0053.307] lstrlenW (lpString=".docx") returned 5 [0053.307] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0053.307] lstrlenW (lpString=".pdf") returned 4 [0053.307] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0053.307] lstrlenW (lpString=".xls") returned 4 [0053.307] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0053.307] lstrlenW (lpString=".xlsx") returned 5 [0053.307] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0053.307] lstrlenW (lpString=".ppt") returned 4 [0053.308] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0053.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.308] lstrlenW (lpString=".zip") returned 4 [0053.308] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0053.308] lstrlenW (lpString=".rar") returned 4 [0053.308] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0053.308] lstrlenW (lpString=".bz2") returned 4 [0053.308] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0053.308] lstrlenW (lpString=".7z") returned 3 [0053.308] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0053.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.308] lstrlenW (lpString=".dbf") returned 4 [0053.308] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0053.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.308] lstrlenW (lpString=".1cd") returned 4 [0053.308] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0053.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.308] lstrlenW (lpString=".jpg") returned 4 [0053.308] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0053.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.308] lstrlenW (lpString=".doc") returned 4 [0053.308] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0053.308] lstrlenW (lpString=".docx") returned 5 [0053.308] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0053.308] lstrlenW (lpString=".pdf") returned 4 [0053.308] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0053.309] lstrlenW (lpString=".xls") returned 4 [0053.309] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0053.309] lstrlenW (lpString=".xlsx") returned 5 [0053.309] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0053.309] lstrlenW (lpString=".ppt") returned 4 [0053.309] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0053.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.309] lstrlenW (lpString=".zip") returned 4 [0053.309] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0053.309] lstrlenW (lpString=".rar") returned 4 [0053.309] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0053.309] lstrlenW (lpString=".bz2") returned 4 [0053.309] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0053.309] lstrlenW (lpString=".7z") returned 3 [0053.309] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0053.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.309] lstrlenW (lpString=".dbf") returned 4 [0053.309] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0053.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.309] lstrlenW (lpString=".1cd") returned 4 [0053.309] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0053.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0053.309] lstrlenW (lpString=".jpg") returned 4 [0053.309] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0053.309] lstrcmpiW (lpString1=".CHM", lpString2=".NcOv") returned -1 [0053.310] lstrlenW (lpString="VBUI6.CHM") returned 9 [0053.310] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0053.311] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=416918) returned 1 [0053.311] CloseHandle (hObject=0x1dc) returned 1 [0053.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 0x20 [0053.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0053.312] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.312] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.313] GetLastError () returned 0x0 [0053.313] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x65c96, lpOverlapped=0x0) returned 1 [0053.327] WriteFile (in: hFile=0x1a0, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x65ca0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x65ca0, lpOverlapped=0x0) returned 1 [0053.337] ReadFile (in: hFile=0x1dc, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.337] WriteFile (in: hFile=0x1a0, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.337] SetEndOfFile (hFile=0x1a0) returned 1 [0053.337] CloseHandle (hObject=0x1a0) returned 1 [0053.337] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.338] SetEndOfFile (hFile=0x1dc) returned 1 [0053.341] CloseHandle (hObject=0x1dc) returned 1 [0053.342] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0053.342] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 1 [0053.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.342] lstrlenW (lpString=".doc") returned 4 [0053.342] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0053.342] lstrlenW (lpString=".docx") returned 5 [0053.342] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0053.342] lstrlenW (lpString=".pdf") returned 4 [0053.342] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0053.342] lstrlenW (lpString=".xls") returned 4 [0053.342] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0053.342] lstrlenW (lpString=".xlsx") returned 5 [0053.342] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0053.342] lstrlenW (lpString=".ppt") returned 4 [0053.342] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0053.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.343] lstrlenW (lpString=".zip") returned 4 [0053.343] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0053.343] lstrlenW (lpString=".rar") returned 4 [0053.343] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0053.343] lstrlenW (lpString=".bz2") returned 4 [0053.343] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0053.343] lstrlenW (lpString=".7z") returned 3 [0053.343] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0053.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.343] lstrlenW (lpString=".dbf") returned 4 [0053.343] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0053.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.343] lstrlenW (lpString=".1cd") returned 4 [0053.343] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0053.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.343] lstrlenW (lpString=".jpg") returned 4 [0053.343] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0053.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.343] lstrlenW (lpString=".doc") returned 4 [0053.343] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0053.343] lstrlenW (lpString=".docx") returned 5 [0053.343] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0053.343] lstrlenW (lpString=".pdf") returned 4 [0053.343] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0053.343] lstrlenW (lpString=".xls") returned 4 [0053.344] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0053.344] lstrlenW (lpString=".xlsx") returned 5 [0053.344] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0053.344] lstrlenW (lpString=".ppt") returned 4 [0053.344] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0053.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.344] lstrlenW (lpString=".zip") returned 4 [0053.344] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0053.344] lstrlenW (lpString=".rar") returned 4 [0053.344] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0053.344] lstrlenW (lpString=".bz2") returned 4 [0053.344] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0053.344] lstrlenW (lpString=".7z") returned 3 [0053.344] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0053.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.344] lstrlenW (lpString=".dbf") returned 4 [0053.344] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0053.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.344] lstrlenW (lpString=".1cd") returned 4 [0053.344] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0053.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0053.344] lstrlenW (lpString=".jpg") returned 4 [0053.344] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0053.344] lstrcmpiW (lpString1=".config", lpString2=".NcOv") returned -1 [0053.344] lstrlenW (lpString="VSTOInstaller.config") returned 20 [0053.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.349] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=716) returned 1 [0053.349] CloseHandle (hObject=0x1a0) returned 1 [0053.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 0x20 [0053.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.350] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.350] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.350] GetLastError () returned 0x0 [0053.350] ReadFile (in: hFile=0x1a0, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x2cc, lpOverlapped=0x0) returned 1 [0053.363] WriteFile (in: hFile=0x224, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0053.364] ReadFile (in: hFile=0x1a0, lpBuffer=0x3030020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesRead=0x2a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.364] WriteFile (in: hFile=0x224, lpBuffer=0x3030020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3030020*, lpNumberOfBytesWritten=0x2a6fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0053.364] SetEndOfFile (hFile=0x224) returned 1 [0053.364] CloseHandle (hObject=0x224) returned 1 [0053.364] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.364] SetEndOfFile (hFile=0x1a0) returned 1 [0053.365] CloseHandle (hObject=0x1a0) returned 1 [0053.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0053.366] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 1 [0053.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.366] lstrlenW (lpString=".doc") returned 4 [0053.366] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0053.366] lstrlenW (lpString=".docx") returned 5 [0053.366] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0053.366] lstrlenW (lpString=".pdf") returned 4 [0053.366] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0053.366] lstrlenW (lpString=".xls") returned 4 [0053.366] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0053.366] lstrlenW (lpString=".xlsx") returned 5 [0053.366] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0053.366] lstrlenW (lpString=".ppt") returned 4 [0053.366] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0053.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.366] lstrlenW (lpString=".zip") returned 4 [0053.366] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0053.366] lstrlenW (lpString=".rar") returned 4 [0053.366] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0053.366] lstrlenW (lpString=".bz2") returned 4 [0053.366] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0053.366] lstrlenW (lpString=".7z") returned 3 [0053.366] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0053.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.366] lstrlenW (lpString=".dbf") returned 4 [0053.366] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0053.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.366] lstrlenW (lpString=".1cd") returned 4 [0053.366] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.367] lstrlenW (lpString=".jpg") returned 4 [0053.367] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.367] lstrlenW (lpString=".doc") returned 4 [0053.367] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString=".docx") returned 5 [0053.367] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0053.367] lstrlenW (lpString=".pdf") returned 4 [0053.367] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString=".xls") returned 4 [0053.367] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString=".xlsx") returned 5 [0053.367] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0053.367] lstrlenW (lpString=".ppt") returned 4 [0053.367] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.367] lstrlenW (lpString=".zip") returned 4 [0053.367] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString=".rar") returned 4 [0053.367] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString=".bz2") returned 4 [0053.367] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString=".7z") returned 3 [0053.367] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0053.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.367] lstrlenW (lpString=".dbf") returned 4 [0053.367] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.367] lstrlenW (lpString=".1cd") returned 4 [0053.367] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0053.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0053.367] lstrlenW (lpString=".jpg") returned 4 [0053.368] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0053.368] lstrcmpiW (lpString1=".bmp", lpString2=".NcOv") returned -1 [0053.368] lstrlenW (lpString="verisign.bmp") returned 12 [0053.368] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.566] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=2702) returned 1 [0053.566] CloseHandle (hObject=0x204) returned 1 [0053.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 0x20 [0053.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.566] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.566] lstrlenW (lpString=".doc") returned 4 [0053.566] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString=".docx") returned 5 [0053.567] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0053.567] lstrlenW (lpString=".pdf") returned 4 [0053.567] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString=".xls") returned 4 [0053.567] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString=".xlsx") returned 5 [0053.567] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0053.567] lstrlenW (lpString=".ppt") returned 4 [0053.567] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.567] lstrlenW (lpString=".zip") returned 4 [0053.567] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString=".rar") returned 4 [0053.567] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString=".bz2") returned 4 [0053.567] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString=".7z") returned 3 [0053.567] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0053.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.567] lstrlenW (lpString=".dbf") returned 4 [0053.567] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.567] lstrlenW (lpString=".1cd") returned 4 [0053.567] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0053.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.567] lstrlenW (lpString=".jpg") returned 4 [0053.567] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0053.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.567] lstrlenW (lpString=".doc") returned 4 [0053.567] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0053.568] lstrlenW (lpString=".docx") returned 5 [0053.568] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0053.568] lstrlenW (lpString=".pdf") returned 4 [0053.568] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0053.568] lstrlenW (lpString=".xls") returned 4 [0053.568] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0053.568] lstrlenW (lpString=".xlsx") returned 5 [0053.568] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0053.568] lstrlenW (lpString=".ppt") returned 4 [0053.568] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0053.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.568] lstrlenW (lpString=".zip") returned 4 [0053.568] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0053.568] lstrlenW (lpString=".rar") returned 4 [0053.568] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0053.568] lstrlenW (lpString=".bz2") returned 4 [0053.568] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0053.568] lstrlenW (lpString=".7z") returned 3 [0053.568] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0053.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.568] lstrlenW (lpString=".dbf") returned 4 [0053.568] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0053.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.568] lstrlenW (lpString=".1cd") returned 4 [0053.568] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0053.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0053.568] lstrlenW (lpString=".jpg") returned 4 [0053.568] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0053.568] lstrcmpiW (lpString1=".inc", lpString2=".NcOv") returned -1 [0053.568] lstrlenW (lpString="oledbvbs.inc") returned 12 [0053.568] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.880] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=9975) returned 1 [0053.891] CloseHandle (hObject=0x1e8) returned 1 [0053.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc")) returned 0x20 [0053.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.891] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.891] lstrlenW (lpString=".doc") returned 4 [0053.891] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.891] lstrlenW (lpString=".docx") returned 5 [0053.891] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.891] lstrlenW (lpString=".pdf") returned 4 [0053.891] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.891] lstrlenW (lpString=".xls") returned 4 [0053.891] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.891] lstrlenW (lpString=".xlsx") returned 5 [0053.891] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.891] lstrlenW (lpString=".ppt") returned 4 [0053.892] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.892] lstrlenW (lpString=".zip") returned 4 [0053.892] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.892] lstrlenW (lpString=".rar") returned 4 [0053.892] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.892] lstrlenW (lpString=".bz2") returned 4 [0053.892] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.892] lstrlenW (lpString=".7z") returned 3 [0053.892] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.892] lstrlenW (lpString=".dbf") returned 4 [0053.892] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.892] lstrlenW (lpString=".1cd") returned 4 [0053.892] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.892] lstrlenW (lpString=".jpg") returned 4 [0053.892] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.892] lstrlenW (lpString=".doc") returned 4 [0053.892] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.892] lstrlenW (lpString=".docx") returned 5 [0053.892] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.892] lstrlenW (lpString=".pdf") returned 4 [0053.892] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.892] lstrlenW (lpString=".xls") returned 4 [0053.892] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.892] lstrlenW (lpString=".xlsx") returned 5 [0053.892] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.892] lstrlenW (lpString=".ppt") returned 4 [0053.892] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.892] lstrlenW (lpString=".zip") returned 4 [0053.892] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.893] lstrlenW (lpString=".rar") returned 4 [0053.893] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.893] lstrlenW (lpString=".bz2") returned 4 [0053.893] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.893] lstrlenW (lpString=".7z") returned 3 [0053.893] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.893] lstrlenW (lpString=".dbf") returned 4 [0053.893] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.893] lstrlenW (lpString=".1cd") returned 4 [0053.893] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0053.893] lstrlenW (lpString=".jpg") returned 4 [0053.893] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.893] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0053.893] lstrlenW (lpString="BabyBoyMainBackground_PAL.wmv") returned 29 [0053.893] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.445] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=325322) returned 1 [0054.445] CloseHandle (hObject=0x1e8) returned 1 [0054.446] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv")) returned 0x20 [0054.446] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.446] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.446] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.446] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.446] lstrlenW (lpString=".doc") returned 4 [0054.446] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.446] lstrlenW (lpString=".docx") returned 5 [0054.446] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0054.446] lstrlenW (lpString=".pdf") returned 4 [0054.446] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.446] lstrlenW (lpString=".xls") returned 4 [0054.446] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.446] lstrlenW (lpString=".xlsx") returned 5 [0054.446] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0054.446] lstrlenW (lpString=".ppt") returned 4 [0054.446] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.446] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.446] lstrlenW (lpString=".zip") returned 4 [0054.446] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.446] lstrlenW (lpString=".rar") returned 4 [0054.447] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.447] lstrlenW (lpString=".bz2") returned 4 [0054.447] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.447] lstrlenW (lpString=".7z") returned 3 [0054.447] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.447] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.447] lstrlenW (lpString=".dbf") returned 4 [0054.447] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.447] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.447] lstrlenW (lpString=".1cd") returned 4 [0054.447] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.447] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.447] lstrlenW (lpString=".jpg") returned 4 [0054.447] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.447] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.447] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.447] lstrlenW (lpString=".doc") returned 4 [0054.447] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.447] lstrlenW (lpString=".docx") returned 5 [0054.447] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0054.447] lstrlenW (lpString=".pdf") returned 4 [0054.447] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.447] lstrlenW (lpString=".xls") returned 4 [0054.447] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.447] lstrlenW (lpString=".xlsx") returned 5 [0054.447] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0054.447] lstrlenW (lpString=".ppt") returned 4 [0054.447] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.447] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.448] lstrlenW (lpString=".zip") returned 4 [0054.448] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.448] lstrlenW (lpString=".rar") returned 4 [0054.448] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.448] lstrlenW (lpString=".bz2") returned 4 [0054.448] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.448] lstrlenW (lpString=".7z") returned 3 [0054.448] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.448] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.448] lstrlenW (lpString=".dbf") returned 4 [0054.448] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.448] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.448] lstrlenW (lpString=".1cd") returned 4 [0054.448] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.448] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0054.448] lstrlenW (lpString=".jpg") returned 4 [0054.448] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.448] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0054.448] lstrlenW (lpString="BabyBoyMainToNotesBackground.wmv") returned 32 [0054.448] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.449] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=141214) returned 1 [0054.449] CloseHandle (hObject=0x1e8) returned 1 [0054.449] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv")) returned 0x20 [0054.449] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.449] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.449] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.449] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.449] lstrlenW (lpString=".doc") returned 4 [0054.449] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.449] lstrlenW (lpString=".docx") returned 5 [0054.450] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0054.450] lstrlenW (lpString=".pdf") returned 4 [0054.450] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.450] lstrlenW (lpString=".xls") returned 4 [0054.450] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.450] lstrlenW (lpString=".xlsx") returned 5 [0054.450] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0054.450] lstrlenW (lpString=".ppt") returned 4 [0054.450] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.450] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.450] lstrlenW (lpString=".zip") returned 4 [0054.450] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.450] lstrlenW (lpString=".rar") returned 4 [0054.450] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.450] lstrlenW (lpString=".bz2") returned 4 [0054.450] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.450] lstrlenW (lpString=".7z") returned 3 [0054.450] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.450] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.450] lstrlenW (lpString=".dbf") returned 4 [0054.450] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.450] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.450] lstrlenW (lpString=".1cd") returned 4 [0054.450] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.450] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.450] lstrlenW (lpString=".jpg") returned 4 [0054.450] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.451] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.451] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.451] lstrlenW (lpString=".doc") returned 4 [0054.451] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.451] lstrlenW (lpString=".docx") returned 5 [0054.451] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0054.451] lstrlenW (lpString=".pdf") returned 4 [0054.451] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.451] lstrlenW (lpString=".xls") returned 4 [0054.451] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.451] lstrlenW (lpString=".xlsx") returned 5 [0054.451] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0054.451] lstrlenW (lpString=".ppt") returned 4 [0054.451] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.451] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.451] lstrlenW (lpString=".zip") returned 4 [0054.451] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.451] lstrlenW (lpString=".rar") returned 4 [0054.451] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.451] lstrlenW (lpString=".bz2") returned 4 [0054.451] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.451] lstrlenW (lpString=".7z") returned 3 [0054.451] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.451] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.451] lstrlenW (lpString=".dbf") returned 4 [0054.451] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.451] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.451] lstrlenW (lpString=".1cd") returned 4 [0054.451] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.452] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 84 [0054.452] lstrlenW (lpString=".jpg") returned 4 [0054.452] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.452] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0054.452] lstrlenW (lpString="BabyBoyMainToNotesBackground_PAL.wmv") returned 36 [0054.452] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.452] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=157214) returned 1 [0054.452] CloseHandle (hObject=0x1e8) returned 1 [0054.452] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv")) returned 0x20 [0054.453] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.453] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.453] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.453] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.453] lstrlenW (lpString=".doc") returned 4 [0054.453] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.453] lstrlenW (lpString=".docx") returned 5 [0054.453] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0054.453] lstrlenW (lpString=".pdf") returned 4 [0054.453] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.453] lstrlenW (lpString=".xls") returned 4 [0054.453] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.453] lstrlenW (lpString=".xlsx") returned 5 [0054.453] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0054.453] lstrlenW (lpString=".ppt") returned 4 [0054.453] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.453] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.453] lstrlenW (lpString=".zip") returned 4 [0054.453] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.453] lstrlenW (lpString=".rar") returned 4 [0054.453] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.453] lstrlenW (lpString=".bz2") returned 4 [0054.453] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.453] lstrlenW (lpString=".7z") returned 3 [0054.453] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.453] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.453] lstrlenW (lpString=".dbf") returned 4 [0054.454] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.454] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.454] lstrlenW (lpString=".1cd") returned 4 [0054.454] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.454] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.454] lstrlenW (lpString=".jpg") returned 4 [0054.454] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.454] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.454] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.454] lstrlenW (lpString=".doc") returned 4 [0054.454] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.454] lstrlenW (lpString=".docx") returned 5 [0054.454] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0054.454] lstrlenW (lpString=".pdf") returned 4 [0054.454] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.454] lstrlenW (lpString=".xls") returned 4 [0054.454] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.454] lstrlenW (lpString=".xlsx") returned 5 [0054.454] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0054.454] lstrlenW (lpString=".ppt") returned 4 [0054.454] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.454] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.454] lstrlenW (lpString=".zip") returned 4 [0054.454] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.454] lstrlenW (lpString=".rar") returned 4 [0054.454] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.454] lstrlenW (lpString=".bz2") returned 4 [0054.454] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.455] lstrlenW (lpString=".7z") returned 3 [0054.455] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.455] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.455] lstrlenW (lpString=".dbf") returned 4 [0054.455] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.455] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.455] lstrlenW (lpString=".1cd") returned 4 [0054.455] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.455] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 88 [0054.455] lstrlenW (lpString=".jpg") returned 4 [0054.455] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.455] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0054.455] lstrlenW (lpString="BabyBoyMainToScenesBackground.wmv") returned 33 [0054.455] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.456] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=117214) returned 1 [0054.456] CloseHandle (hObject=0x1e8) returned 1 [0054.456] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv")) returned 0x20 [0054.457] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.457] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.457] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.457] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.457] lstrlenW (lpString=".doc") returned 4 [0054.457] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.457] lstrlenW (lpString=".docx") returned 5 [0054.457] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0054.457] lstrlenW (lpString=".pdf") returned 4 [0054.457] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.457] lstrlenW (lpString=".xls") returned 4 [0054.457] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.457] lstrlenW (lpString=".xlsx") returned 5 [0054.457] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0054.457] lstrlenW (lpString=".ppt") returned 4 [0054.457] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.457] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.457] lstrlenW (lpString=".zip") returned 4 [0054.457] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.457] lstrlenW (lpString=".rar") returned 4 [0054.457] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.457] lstrlenW (lpString=".bz2") returned 4 [0054.457] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.457] lstrlenW (lpString=".7z") returned 3 [0054.457] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.457] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.458] lstrlenW (lpString=".dbf") returned 4 [0054.458] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.458] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.458] lstrlenW (lpString=".1cd") returned 4 [0054.458] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.458] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.458] lstrlenW (lpString=".jpg") returned 4 [0054.458] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.458] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.458] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.458] lstrlenW (lpString=".doc") returned 4 [0054.458] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.458] lstrlenW (lpString=".docx") returned 5 [0054.458] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0054.458] lstrlenW (lpString=".pdf") returned 4 [0054.458] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.458] lstrlenW (lpString=".xls") returned 4 [0054.458] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.458] lstrlenW (lpString=".xlsx") returned 5 [0054.458] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0054.458] lstrlenW (lpString=".ppt") returned 4 [0054.458] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.458] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.458] lstrlenW (lpString=".zip") returned 4 [0054.458] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.458] lstrlenW (lpString=".rar") returned 4 [0054.458] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.459] lstrlenW (lpString=".bz2") returned 4 [0054.459] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.459] lstrlenW (lpString=".7z") returned 3 [0054.459] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.459] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.459] lstrlenW (lpString=".dbf") returned 4 [0054.459] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.459] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.459] lstrlenW (lpString=".1cd") returned 4 [0054.459] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.459] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 85 [0054.459] lstrlenW (lpString=".jpg") returned 4 [0054.459] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.459] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0054.459] lstrlenW (lpString="BabyBoyMainToScenesBackground_PAL.wmv") returned 37 [0054.459] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.460] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=141214) returned 1 [0054.460] CloseHandle (hObject=0x1e8) returned 1 [0054.460] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv")) returned 0x20 [0054.460] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.460] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.460] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.460] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.460] lstrlenW (lpString=".doc") returned 4 [0054.460] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.460] lstrlenW (lpString=".docx") returned 5 [0054.460] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0054.460] lstrlenW (lpString=".pdf") returned 4 [0054.460] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.460] lstrlenW (lpString=".xls") returned 4 [0054.460] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.460] lstrlenW (lpString=".xlsx") returned 5 [0054.461] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0054.461] lstrlenW (lpString=".ppt") returned 4 [0054.461] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.461] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.461] lstrlenW (lpString=".zip") returned 4 [0054.461] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.461] lstrlenW (lpString=".rar") returned 4 [0054.461] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.461] lstrlenW (lpString=".bz2") returned 4 [0054.461] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.461] lstrlenW (lpString=".7z") returned 3 [0054.461] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.461] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.461] lstrlenW (lpString=".dbf") returned 4 [0054.461] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.461] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.461] lstrlenW (lpString=".1cd") returned 4 [0054.461] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.461] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.461] lstrlenW (lpString=".jpg") returned 4 [0054.461] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.461] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.461] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.461] lstrlenW (lpString=".doc") returned 4 [0054.461] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.461] lstrlenW (lpString=".docx") returned 5 [0054.462] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0054.462] lstrlenW (lpString=".pdf") returned 4 [0054.462] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.462] lstrlenW (lpString=".xls") returned 4 [0054.462] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.462] lstrlenW (lpString=".xlsx") returned 5 [0054.462] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0054.462] lstrlenW (lpString=".ppt") returned 4 [0054.462] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.462] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.462] lstrlenW (lpString=".zip") returned 4 [0054.462] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.462] lstrlenW (lpString=".rar") returned 4 [0054.462] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.462] lstrlenW (lpString=".bz2") returned 4 [0054.462] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.462] lstrlenW (lpString=".7z") returned 3 [0054.462] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.462] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.462] lstrlenW (lpString=".dbf") returned 4 [0054.462] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.462] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.462] lstrlenW (lpString=".1cd") returned 4 [0054.462] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.462] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 89 [0054.462] lstrlenW (lpString=".jpg") returned 4 [0054.462] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.463] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0054.463] lstrlenW (lpString="BabyBoyNotesBackground.wmv") returned 26 [0054.463] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.463] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=157292) returned 1 [0054.463] CloseHandle (hObject=0x1e8) returned 1 [0054.463] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv")) returned 0x20 [0054.463] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.464] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.464] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.464] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.464] lstrlenW (lpString=".doc") returned 4 [0054.464] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.464] lstrlenW (lpString=".docx") returned 5 [0054.464] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0054.464] lstrlenW (lpString=".pdf") returned 4 [0054.464] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.464] lstrlenW (lpString=".xls") returned 4 [0054.464] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.464] lstrlenW (lpString=".xlsx") returned 5 [0054.464] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0054.464] lstrlenW (lpString=".ppt") returned 4 [0054.464] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.464] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.464] lstrlenW (lpString=".zip") returned 4 [0054.464] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.464] lstrlenW (lpString=".rar") returned 4 [0054.464] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.464] lstrlenW (lpString=".bz2") returned 4 [0054.464] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.464] lstrlenW (lpString=".7z") returned 3 [0054.464] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.464] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.465] lstrlenW (lpString=".dbf") returned 4 [0054.465] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.465] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.465] lstrlenW (lpString=".1cd") returned 4 [0054.465] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.465] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.465] lstrlenW (lpString=".jpg") returned 4 [0054.465] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.465] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.465] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.465] lstrlenW (lpString=".doc") returned 4 [0054.465] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.465] lstrlenW (lpString=".docx") returned 5 [0054.465] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0054.465] lstrlenW (lpString=".pdf") returned 4 [0054.465] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.465] lstrlenW (lpString=".xls") returned 4 [0054.465] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.465] lstrlenW (lpString=".xlsx") returned 5 [0054.465] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0054.465] lstrlenW (lpString=".ppt") returned 4 [0054.465] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.465] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.465] lstrlenW (lpString=".zip") returned 4 [0054.465] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.465] lstrlenW (lpString=".rar") returned 4 [0054.465] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.466] lstrlenW (lpString=".bz2") returned 4 [0054.466] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.466] lstrlenW (lpString=".7z") returned 3 [0054.466] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.466] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.466] lstrlenW (lpString=".dbf") returned 4 [0054.466] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0054.466] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.466] lstrlenW (lpString=".1cd") returned 4 [0054.466] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0054.466] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 78 [0054.466] lstrlenW (lpString=".jpg") returned 4 [0054.466] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0054.466] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0054.466] lstrlenW (lpString="BabyBoyNotesBackground_PAL.wmv") returned 30 [0054.466] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.467] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2a6ff1c | out: lpFileSize=0x2a6ff1c*=157292) returned 1 [0054.467] CloseHandle (hObject=0x1e8) returned 1 [0054.467] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv")) returned 0x20 [0054.467] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.467] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.467] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0054.467] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0054.467] lstrlenW (lpString=".doc") returned 4 [0054.467] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0054.468] lstrlenW (lpString=".docx") returned 5 [0054.468] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0054.468] lstrlenW (lpString=".pdf") returned 4 [0054.468] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0054.468] lstrlenW (lpString=".xls") returned 4 [0054.468] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0054.468] lstrlenW (lpString=".xlsx") returned 5 [0054.468] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0054.468] lstrlenW (lpString=".ppt") returned 4 [0054.468] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0054.468] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0054.468] lstrlenW (lpString=".zip") returned 4 [0054.468] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0054.468] lstrlenW (lpString=".rar") returned 4 [0054.468] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0054.468] lstrlenW (lpString=".bz2") returned 4 [0054.468] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0054.468] lstrlenW (lpString=".7z") returned 3 [0054.468] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0054.468] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0054.468] lstrlenW (lpString=".dbf") returned 4 [0054.468] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0056.572] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.572] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.573] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.574] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.574] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.574] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.574] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.576] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.576] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0056.576] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0064.239] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 1 Thread: id = 10 os_tid = 0x358 [0036.650] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x5a4080 [0036.651] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x5b4088 [0036.651] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a730 [0036.651] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x53a3a0 [0036.651] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a700 [0036.651] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x3280020 [0036.652] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a748 [0036.652] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a748, Size=0x20) returned 0x5a34e8 [0036.652] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a748 [0036.652] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a748, Size=0x20) returned 0x5a34c0 [0036.652] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0036.652] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0036.652] Wow64DisableWow64FsRedirection (in: OldValue=0x2b6ff58 | out: OldValue=0x2b6ff58*=0x0) returned 1 [0036.652] lstrlenW (lpString="kernel32.dll") returned 12 [0036.652] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34e8 | out: hHeap=0x500000) returned 1 [0036.652] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0036.652] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34c0 | out: hHeap=0x500000) returned 1 [0036.652] Sleep (dwMilliseconds=0x64) [0036.782] Sleep (dwMilliseconds=0x64) [0037.011] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.011] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0037.011] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.012] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1450) returned 1 [0037.012] CloseHandle (hObject=0x164) returned 1 [0037.013] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0037.013] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.013] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.013] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.013] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.013] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0037.013] GetLastError () returned 0x0 [0037.013] ReadFile (in: hFile=0x164, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0037.080] WriteFile (in: hFile=0x16c, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0037.081] ReadFile (in: hFile=0x164, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.081] WriteFile (in: hFile=0x16c, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0037.081] SetEndOfFile (hFile=0x16c) returned 1 [0037.081] CloseHandle (hObject=0x16c) returned 1 [0037.082] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.082] SetEndOfFile (hFile=0x164) returned 1 [0037.083] CloseHandle (hObject=0x164) returned 1 [0037.083] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.083] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0037.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.084] lstrlenW (lpString=".doc") returned 4 [0037.084] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString=".docx") returned 5 [0037.084] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.084] lstrlenW (lpString=".pdf") returned 4 [0037.084] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString=".xls") returned 4 [0037.084] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString=".xlsx") returned 5 [0037.084] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.084] lstrlenW (lpString=".ppt") returned 4 [0037.084] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.084] lstrlenW (lpString=".zip") returned 4 [0037.084] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.084] lstrlenW (lpString=".rar") returned 4 [0037.084] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString=".bz2") returned 4 [0037.084] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString=".7z") returned 3 [0037.084] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.084] lstrlenW (lpString=".dbf") returned 4 [0037.084] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.084] lstrlenW (lpString=".1cd") returned 4 [0037.084] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.084] lstrlenW (lpString=".jpg") returned 4 [0037.084] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.084] lstrlenW (lpString=".doc") returned 4 [0037.084] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.084] lstrlenW (lpString=".docx") returned 5 [0037.085] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.085] lstrlenW (lpString=".pdf") returned 4 [0037.085] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.085] lstrlenW (lpString=".xls") returned 4 [0037.085] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.085] lstrlenW (lpString=".xlsx") returned 5 [0037.085] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.085] lstrlenW (lpString=".ppt") returned 4 [0037.085] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.085] lstrlenW (lpString=".zip") returned 4 [0037.085] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.085] lstrlenW (lpString=".rar") returned 4 [0037.085] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.085] lstrlenW (lpString=".bz2") returned 4 [0037.085] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.085] lstrlenW (lpString=".7z") returned 3 [0037.085] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.085] lstrlenW (lpString=".dbf") returned 4 [0037.085] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.085] lstrlenW (lpString=".1cd") returned 4 [0037.085] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0037.085] lstrlenW (lpString=".jpg") returned 4 [0037.085] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.085] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.085] lstrlenW (lpString="Setup.xml") returned 9 [0037.085] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0037.099] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1608) returned 1 [0037.099] CloseHandle (hObject=0x178) returned 1 [0037.099] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.099] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.099] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0037.099] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.099] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.099] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.106] GetLastError () returned 0x0 [0037.106] ReadFile (in: hFile=0x178, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x648, lpOverlapped=0x0) returned 1 [0037.222] WriteFile (in: hFile=0x164, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x650, lpOverlapped=0x0) returned 1 [0037.223] ReadFile (in: hFile=0x178, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.223] WriteFile (in: hFile=0x164, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.223] SetEndOfFile (hFile=0x164) returned 1 [0037.223] CloseHandle (hObject=0x164) returned 1 [0037.227] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.227] SetEndOfFile (hFile=0x178) returned 1 [0037.228] CloseHandle (hObject=0x178) returned 1 [0037.228] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.229] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.229] lstrlenW (lpString=".doc") returned 4 [0037.229] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString=".docx") returned 5 [0037.229] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.229] lstrlenW (lpString=".pdf") returned 4 [0037.229] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString=".xls") returned 4 [0037.229] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString=".xlsx") returned 5 [0037.229] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.229] lstrlenW (lpString=".ppt") returned 4 [0037.229] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.229] lstrlenW (lpString=".zip") returned 4 [0037.229] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.229] lstrlenW (lpString=".rar") returned 4 [0037.229] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString=".bz2") returned 4 [0037.229] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString=".7z") returned 3 [0037.230] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.230] lstrlenW (lpString=".dbf") returned 4 [0037.230] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.230] lstrlenW (lpString=".1cd") returned 4 [0037.230] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.230] lstrlenW (lpString=".jpg") returned 4 [0037.230] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.230] lstrlenW (lpString=".doc") returned 4 [0037.230] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".docx") returned 5 [0037.230] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.230] lstrlenW (lpString=".pdf") returned 4 [0037.230] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".xls") returned 4 [0037.230] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".xlsx") returned 5 [0037.230] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.230] lstrlenW (lpString=".ppt") returned 4 [0037.230] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.230] lstrlenW (lpString=".zip") returned 4 [0037.230] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.230] lstrlenW (lpString=".rar") returned 4 [0037.230] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".bz2") returned 4 [0037.230] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".7z") returned 3 [0037.230] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.230] lstrlenW (lpString=".dbf") returned 4 [0037.230] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.230] lstrlenW (lpString=".1cd") returned 4 [0037.231] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.231] lstrlenW (lpString=".jpg") returned 4 [0037.231] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.231] Sleep (dwMilliseconds=0x64) [0037.709] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.709] lstrlenW (lpString="Proof.xml") returned 9 [0037.709] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0037.709] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1458) returned 1 [0037.709] CloseHandle (hObject=0x168) returned 1 [0037.709] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0x2020 [0037.709] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.709] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0037.709] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.710] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.710] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.710] GetLastError () returned 0x0 [0037.710] ReadFile (in: hFile=0x168, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0037.734] WriteFile (in: hFile=0x180, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0037.735] ReadFile (in: hFile=0x168, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.735] WriteFile (in: hFile=0x180, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.735] SetEndOfFile (hFile=0x180) returned 1 [0037.735] CloseHandle (hObject=0x180) returned 1 [0037.736] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.736] SetEndOfFile (hFile=0x168) returned 1 [0037.737] CloseHandle (hObject=0x168) returned 1 [0037.737] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.737] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0037.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.737] lstrlenW (lpString=".doc") returned 4 [0037.737] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.737] lstrlenW (lpString=".docx") returned 5 [0037.737] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0037.737] lstrlenW (lpString=".pdf") returned 4 [0037.737] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.737] lstrlenW (lpString=".xls") returned 4 [0037.737] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.737] lstrlenW (lpString=".xlsx") returned 5 [0037.737] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0037.737] lstrlenW (lpString=".ppt") returned 4 [0037.737] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.737] lstrlenW (lpString=".zip") returned 4 [0037.737] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.737] lstrlenW (lpString=".rar") returned 4 [0037.738] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString=".bz2") returned 4 [0037.738] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString=".7z") returned 3 [0037.738] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.738] lstrlenW (lpString=".dbf") returned 4 [0037.738] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.738] lstrlenW (lpString=".1cd") returned 4 [0037.738] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.738] lstrlenW (lpString=".jpg") returned 4 [0037.738] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.738] lstrlenW (lpString=".doc") returned 4 [0037.738] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString=".docx") returned 5 [0037.738] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0037.738] lstrlenW (lpString=".pdf") returned 4 [0037.738] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString=".xls") returned 4 [0037.738] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString=".xlsx") returned 5 [0037.738] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0037.738] lstrlenW (lpString=".ppt") returned 4 [0037.738] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.738] lstrlenW (lpString=".zip") returned 4 [0037.738] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.738] lstrlenW (lpString=".rar") returned 4 [0037.738] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString=".bz2") returned 4 [0037.738] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.738] lstrlenW (lpString=".7z") returned 3 [0037.739] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.739] lstrlenW (lpString=".dbf") returned 4 [0037.739] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.739] lstrlenW (lpString=".1cd") returned 4 [0037.739] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0037.739] lstrlenW (lpString=".jpg") returned 4 [0037.739] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.739] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.739] lstrlenW (lpString="Office32MUI.xml") returned 15 [0037.739] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0037.740] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1383) returned 1 [0037.740] CloseHandle (hObject=0x168) returned 1 [0037.740] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0037.740] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.740] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0037.740] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.740] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.740] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.741] GetLastError () returned 0x0 [0037.741] ReadFile (in: hFile=0x168, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x567, lpOverlapped=0x0) returned 1 [0037.756] WriteFile (in: hFile=0x180, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x570, lpOverlapped=0x0) returned 1 [0037.757] ReadFile (in: hFile=0x168, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.757] WriteFile (in: hFile=0x180, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0037.757] SetEndOfFile (hFile=0x180) returned 1 [0037.757] CloseHandle (hObject=0x180) returned 1 [0037.758] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.758] SetEndOfFile (hFile=0x168) returned 1 [0037.759] CloseHandle (hObject=0x168) returned 1 [0037.759] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.759] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0037.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.759] lstrlenW (lpString=".doc") returned 4 [0037.759] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.759] lstrlenW (lpString=".docx") returned 5 [0037.759] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.759] lstrlenW (lpString=".pdf") returned 4 [0037.759] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.759] lstrlenW (lpString=".xls") returned 4 [0037.759] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.759] lstrlenW (lpString=".xlsx") returned 5 [0037.759] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.759] lstrlenW (lpString=".ppt") returned 4 [0037.760] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.760] lstrlenW (lpString=".zip") returned 4 [0037.760] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.760] lstrlenW (lpString=".rar") returned 4 [0037.760] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString=".bz2") returned 4 [0037.760] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString=".7z") returned 3 [0037.760] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.760] lstrlenW (lpString=".dbf") returned 4 [0037.760] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.760] lstrlenW (lpString=".1cd") returned 4 [0037.760] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.760] lstrlenW (lpString=".jpg") returned 4 [0037.760] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.760] lstrlenW (lpString=".doc") returned 4 [0037.760] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString=".docx") returned 5 [0037.760] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.760] lstrlenW (lpString=".pdf") returned 4 [0037.760] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString=".xls") returned 4 [0037.760] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString=".xlsx") returned 5 [0037.760] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.760] lstrlenW (lpString=".ppt") returned 4 [0037.760] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.760] lstrlenW (lpString=".zip") returned 4 [0037.760] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.761] lstrlenW (lpString=".rar") returned 4 [0037.761] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.761] lstrlenW (lpString=".bz2") returned 4 [0037.761] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.761] lstrlenW (lpString=".7z") returned 3 [0037.761] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.761] lstrlenW (lpString=".dbf") returned 4 [0037.761] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.761] lstrlenW (lpString=".1cd") returned 4 [0037.761] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0037.761] lstrlenW (lpString=".jpg") returned 4 [0037.761] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.761] Sleep (dwMilliseconds=0x64) [0037.874] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.874] lstrlenW (lpString="Setup.xml") returned 9 [0037.874] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.875] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1852) returned 1 [0037.875] CloseHandle (hObject=0x190) returned 1 [0037.875] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.875] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.875] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.875] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.875] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.875] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0037.876] GetLastError () returned 0x0 [0037.876] ReadFile (in: hFile=0x190, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x73c, lpOverlapped=0x0) returned 1 [0037.896] WriteFile (in: hFile=0x194, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x740, lpOverlapped=0x0) returned 1 [0037.897] ReadFile (in: hFile=0x190, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.897] WriteFile (in: hFile=0x194, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.897] SetEndOfFile (hFile=0x194) returned 1 [0037.898] CloseHandle (hObject=0x194) returned 1 [0037.899] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.899] SetEndOfFile (hFile=0x190) returned 1 [0037.900] CloseHandle (hObject=0x190) returned 1 [0037.901] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.901] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.901] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.901] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.901] lstrlenW (lpString=".doc") returned 4 [0037.901] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.901] lstrlenW (lpString=".docx") returned 5 [0037.901] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.901] lstrlenW (lpString=".pdf") returned 4 [0037.901] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.901] lstrlenW (lpString=".xls") returned 4 [0037.901] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.902] lstrlenW (lpString=".xlsx") returned 5 [0037.902] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.902] lstrlenW (lpString=".ppt") returned 4 [0037.902] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.902] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.902] lstrlenW (lpString=".zip") returned 4 [0037.902] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.902] lstrlenW (lpString=".rar") returned 4 [0037.902] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.902] lstrlenW (lpString=".bz2") returned 4 [0037.902] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.902] lstrlenW (lpString=".7z") returned 3 [0037.902] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.902] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.902] lstrlenW (lpString=".dbf") returned 4 [0037.902] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.902] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.902] lstrlenW (lpString=".1cd") returned 4 [0037.902] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.902] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.902] lstrlenW (lpString=".jpg") returned 4 [0037.902] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.902] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.902] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.902] lstrlenW (lpString=".doc") returned 4 [0037.902] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.902] lstrlenW (lpString=".docx") returned 5 [0037.902] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.903] lstrlenW (lpString=".pdf") returned 4 [0037.903] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.903] lstrlenW (lpString=".xls") returned 4 [0037.903] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.903] lstrlenW (lpString=".xlsx") returned 5 [0037.903] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.903] lstrlenW (lpString=".ppt") returned 4 [0037.903] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.903] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.903] lstrlenW (lpString=".zip") returned 4 [0037.903] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.903] lstrlenW (lpString=".rar") returned 4 [0037.903] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.903] lstrlenW (lpString=".bz2") returned 4 [0037.903] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.903] lstrlenW (lpString=".7z") returned 3 [0037.903] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.903] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.903] lstrlenW (lpString=".dbf") returned 4 [0037.903] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.903] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.903] lstrlenW (lpString=".1cd") returned 4 [0037.903] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.903] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.903] lstrlenW (lpString=".jpg") returned 4 [0037.903] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.904] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.904] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0037.904] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.905] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1606) returned 1 [0037.905] CloseHandle (hObject=0x190) returned 1 [0037.905] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0037.905] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.905] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.905] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.905] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.905] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0037.906] GetLastError () returned 0x0 [0037.906] ReadFile (in: hFile=0x190, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x646, lpOverlapped=0x0) returned 1 [0037.941] WriteFile (in: hFile=0x194, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x650, lpOverlapped=0x0) returned 1 [0037.943] ReadFile (in: hFile=0x190, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.943] WriteFile (in: hFile=0x194, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.943] SetEndOfFile (hFile=0x194) returned 1 [0037.943] CloseHandle (hObject=0x194) returned 1 [0037.944] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.944] SetEndOfFile (hFile=0x190) returned 1 [0037.945] CloseHandle (hObject=0x190) returned 1 [0037.945] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.945] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0037.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.945] lstrlenW (lpString=".doc") returned 4 [0037.946] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.946] lstrlenW (lpString=".docx") returned 5 [0037.946] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.946] lstrlenW (lpString=".pdf") returned 4 [0037.946] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.946] lstrlenW (lpString=".xls") returned 4 [0037.946] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.946] lstrlenW (lpString=".xlsx") returned 5 [0037.946] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.946] lstrlenW (lpString=".ppt") returned 4 [0037.946] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.946] lstrlenW (lpString=".zip") returned 4 [0037.946] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.946] lstrlenW (lpString=".rar") returned 4 [0037.946] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.946] lstrlenW (lpString=".bz2") returned 4 [0037.946] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.946] lstrlenW (lpString=".7z") returned 3 [0037.946] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.947] lstrlenW (lpString=".dbf") returned 4 [0037.947] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.947] lstrlenW (lpString=".1cd") returned 4 [0037.947] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.947] lstrlenW (lpString=".jpg") returned 4 [0037.947] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.947] lstrlenW (lpString=".doc") returned 4 [0037.947] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.947] lstrlenW (lpString=".docx") returned 5 [0037.947] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.947] lstrlenW (lpString=".pdf") returned 4 [0037.947] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.947] lstrlenW (lpString=".xls") returned 4 [0037.947] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.947] lstrlenW (lpString=".xlsx") returned 5 [0037.947] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.947] lstrlenW (lpString=".ppt") returned 4 [0037.947] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.947] lstrlenW (lpString=".zip") returned 4 [0037.948] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.948] lstrlenW (lpString=".rar") returned 4 [0037.948] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.948] lstrlenW (lpString=".bz2") returned 4 [0037.948] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.948] lstrlenW (lpString=".7z") returned 3 [0037.948] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.948] lstrlenW (lpString=".dbf") returned 4 [0037.948] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.948] lstrlenW (lpString=".1cd") returned 4 [0037.948] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0037.948] lstrlenW (lpString=".jpg") returned 4 [0037.948] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.948] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.948] lstrlenW (lpString="Setup.xml") returned 9 [0037.948] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0037.952] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1872) returned 1 [0037.952] CloseHandle (hObject=0x1a0) returned 1 [0037.952] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.952] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.952] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0037.952] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.952] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.953] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.953] GetLastError () returned 0x0 [0037.953] ReadFile (in: hFile=0x1a0, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x750, lpOverlapped=0x0) returned 1 [0038.060] WriteFile (in: hFile=0x1a4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x760, lpOverlapped=0x0) returned 1 [0038.061] ReadFile (in: hFile=0x1a0, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.061] WriteFile (in: hFile=0x1a4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0038.061] SetEndOfFile (hFile=0x1a4) returned 1 [0038.061] CloseHandle (hObject=0x1a4) returned 1 [0038.062] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.062] SetEndOfFile (hFile=0x1a0) returned 1 [0038.063] CloseHandle (hObject=0x1a0) returned 1 [0038.063] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0038.063] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0038.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.063] lstrlenW (lpString=".doc") returned 4 [0038.063] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.064] lstrlenW (lpString=".docx") returned 5 [0038.064] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0038.064] lstrlenW (lpString=".pdf") returned 4 [0038.064] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.064] lstrlenW (lpString=".xls") returned 4 [0038.064] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.064] lstrlenW (lpString=".xlsx") returned 5 [0038.064] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0038.064] lstrlenW (lpString=".ppt") returned 4 [0038.064] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.064] lstrlenW (lpString=".zip") returned 4 [0038.064] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.064] lstrlenW (lpString=".rar") returned 4 [0038.064] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.064] lstrlenW (lpString=".bz2") returned 4 [0038.064] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.064] lstrlenW (lpString=".7z") returned 3 [0038.064] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.064] lstrlenW (lpString=".dbf") returned 4 [0038.064] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.064] lstrlenW (lpString=".1cd") returned 4 [0038.064] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.064] lstrlenW (lpString=".jpg") returned 4 [0038.064] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.065] lstrlenW (lpString=".doc") returned 4 [0038.065] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.065] lstrlenW (lpString=".docx") returned 5 [0038.065] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0038.065] lstrlenW (lpString=".pdf") returned 4 [0038.065] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.065] lstrlenW (lpString=".xls") returned 4 [0038.065] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.065] lstrlenW (lpString=".xlsx") returned 5 [0038.065] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0038.065] lstrlenW (lpString=".ppt") returned 4 [0038.065] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.066] lstrlenW (lpString=".zip") returned 4 [0038.066] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.066] lstrlenW (lpString=".rar") returned 4 [0038.066] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.066] lstrlenW (lpString=".bz2") returned 4 [0038.067] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.067] lstrlenW (lpString=".7z") returned 3 [0038.067] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.067] lstrlenW (lpString=".dbf") returned 4 [0038.067] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.067] lstrlenW (lpString=".1cd") returned 4 [0038.067] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.067] lstrlenW (lpString=".jpg") returned 4 [0038.067] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.067] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0038.067] lstrlenW (lpString="Setup.xml") returned 9 [0038.067] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.067] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1452) returned 1 [0038.067] CloseHandle (hObject=0x1a0) returned 1 [0038.067] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0038.067] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.067] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.068] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.068] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.068] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.068] GetLastError () returned 0x0 [0038.068] ReadFile (in: hFile=0x1a0, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0038.097] WriteFile (in: hFile=0x1a4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0038.098] ReadFile (in: hFile=0x1a0, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.098] WriteFile (in: hFile=0x1a4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0038.098] SetEndOfFile (hFile=0x1a4) returned 1 [0038.099] CloseHandle (hObject=0x1a4) returned 1 [0038.099] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.099] SetEndOfFile (hFile=0x1a0) returned 1 [0038.100] CloseHandle (hObject=0x1a0) returned 1 [0038.100] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0038.100] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0038.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.101] lstrlenW (lpString=".doc") returned 4 [0038.101] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString=".docx") returned 5 [0038.101] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0038.101] lstrlenW (lpString=".pdf") returned 4 [0038.101] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString=".xls") returned 4 [0038.101] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString=".xlsx") returned 5 [0038.101] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0038.101] lstrlenW (lpString=".ppt") returned 4 [0038.101] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.101] lstrlenW (lpString=".zip") returned 4 [0038.101] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.101] lstrlenW (lpString=".rar") returned 4 [0038.101] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString=".bz2") returned 4 [0038.101] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString=".7z") returned 3 [0038.101] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.101] lstrlenW (lpString=".dbf") returned 4 [0038.101] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.101] lstrlenW (lpString=".1cd") returned 4 [0038.101] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.101] lstrlenW (lpString=".jpg") returned 4 [0038.101] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.101] lstrlenW (lpString=".doc") returned 4 [0038.101] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.101] lstrlenW (lpString=".docx") returned 5 [0038.102] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0038.102] lstrlenW (lpString=".pdf") returned 4 [0038.102] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.102] lstrlenW (lpString=".xls") returned 4 [0038.102] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.102] lstrlenW (lpString=".xlsx") returned 5 [0038.102] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0038.102] lstrlenW (lpString=".ppt") returned 4 [0038.102] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.102] lstrlenW (lpString=".zip") returned 4 [0038.102] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.102] lstrlenW (lpString=".rar") returned 4 [0038.102] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.102] lstrlenW (lpString=".bz2") returned 4 [0038.102] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.102] lstrlenW (lpString=".7z") returned 3 [0038.102] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.102] lstrlenW (lpString=".dbf") returned 4 [0038.102] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.102] lstrlenW (lpString=".1cd") returned 4 [0038.102] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0038.102] lstrlenW (lpString=".jpg") returned 4 [0038.102] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.102] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0038.102] lstrlenW (lpString="OfficeMUI.xml") returned 13 [0038.102] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0038.123] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=5557) returned 1 [0038.123] CloseHandle (hObject=0x190) returned 1 [0038.123] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 0x2020 [0038.123] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.123] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0038.123] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.124] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.124] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0038.157] GetLastError () returned 0x0 [0038.157] ReadFile (in: hFile=0x190, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0038.177] WriteFile (in: hFile=0x194, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0038.178] ReadFile (in: hFile=0x190, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.178] WriteFile (in: hFile=0x194, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0038.178] SetEndOfFile (hFile=0x194) returned 1 [0038.178] CloseHandle (hObject=0x194) returned 1 [0038.179] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.179] SetEndOfFile (hFile=0x190) returned 1 [0039.029] CloseHandle (hObject=0x190) returned 1 [0039.362] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0039.694] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0040.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.652] lstrlenW (lpString=".doc") returned 4 [0040.652] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.652] lstrlenW (lpString=".docx") returned 5 [0040.652] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0040.652] lstrlenW (lpString=".pdf") returned 4 [0040.652] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.652] lstrlenW (lpString=".xls") returned 4 [0040.652] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.652] lstrlenW (lpString=".xlsx") returned 5 [0040.652] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0040.652] lstrlenW (lpString=".ppt") returned 4 [0040.652] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.652] lstrlenW (lpString=".zip") returned 4 [0040.652] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.652] lstrlenW (lpString=".rar") returned 4 [0040.652] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.652] lstrlenW (lpString=".bz2") returned 4 [0040.652] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.652] lstrlenW (lpString=".7z") returned 3 [0040.652] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.652] lstrlenW (lpString=".dbf") returned 4 [0040.652] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.653] lstrlenW (lpString=".1cd") returned 4 [0040.653] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.653] lstrlenW (lpString=".jpg") returned 4 [0040.653] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.653] lstrlenW (lpString=".doc") returned 4 [0040.653] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString=".docx") returned 5 [0040.653] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0040.653] lstrlenW (lpString=".pdf") returned 4 [0040.653] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString=".xls") returned 4 [0040.653] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString=".xlsx") returned 5 [0040.653] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0040.653] lstrlenW (lpString=".ppt") returned 4 [0040.653] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.653] lstrlenW (lpString=".zip") returned 4 [0040.653] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.653] lstrlenW (lpString=".rar") returned 4 [0040.653] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString=".bz2") returned 4 [0040.653] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString=".7z") returned 3 [0040.653] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.653] lstrlenW (lpString=".dbf") returned 4 [0040.653] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.653] lstrlenW (lpString=".1cd") returned 4 [0040.653] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.654] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0040.654] lstrlenW (lpString=".jpg") returned 4 [0040.654] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.654] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.654] lstrlenW (lpString="Setup.xml") returned 9 [0040.654] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.031] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=31094) returned 1 [0041.031] CloseHandle (hObject=0x1c8) returned 1 [0041.031] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0041.031] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.031] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.032] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.032] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.032] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0041.032] GetLastError () returned 0x0 [0041.032] ReadFile (in: hFile=0x1c8, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x7976, lpOverlapped=0x0) returned 1 [0041.035] WriteFile (in: hFile=0x1e4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x7980, lpOverlapped=0x0) returned 1 [0041.036] ReadFile (in: hFile=0x1c8, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.036] WriteFile (in: hFile=0x1e4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.036] SetEndOfFile (hFile=0x1e4) returned 1 [0041.037] CloseHandle (hObject=0x1e4) returned 1 [0041.037] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.037] SetEndOfFile (hFile=0x1c8) returned 1 [0041.038] CloseHandle (hObject=0x1c8) returned 1 [0041.039] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.039] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0041.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.039] lstrlenW (lpString=".doc") returned 4 [0041.039] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.039] lstrlenW (lpString=".docx") returned 5 [0041.039] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0041.039] lstrlenW (lpString=".pdf") returned 4 [0041.039] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.039] lstrlenW (lpString=".xls") returned 4 [0041.039] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.039] lstrlenW (lpString=".xlsx") returned 5 [0041.039] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0041.039] lstrlenW (lpString=".ppt") returned 4 [0041.039] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.039] lstrlenW (lpString=".zip") returned 4 [0041.039] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.039] lstrlenW (lpString=".rar") returned 4 [0041.039] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.039] lstrlenW (lpString=".bz2") returned 4 [0041.039] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString=".7z") returned 3 [0041.040] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.040] lstrlenW (lpString=".dbf") returned 4 [0041.040] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.040] lstrlenW (lpString=".1cd") returned 4 [0041.040] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.040] lstrlenW (lpString=".jpg") returned 4 [0041.040] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.040] lstrlenW (lpString=".doc") returned 4 [0041.040] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString=".docx") returned 5 [0041.040] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0041.040] lstrlenW (lpString=".pdf") returned 4 [0041.040] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString=".xls") returned 4 [0041.040] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString=".xlsx") returned 5 [0041.040] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0041.040] lstrlenW (lpString=".ppt") returned 4 [0041.040] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.040] lstrlenW (lpString=".zip") returned 4 [0041.040] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.040] lstrlenW (lpString=".rar") returned 4 [0041.040] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString=".bz2") returned 4 [0041.040] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.040] lstrlenW (lpString=".7z") returned 3 [0041.040] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.041] lstrlenW (lpString=".dbf") returned 4 [0041.041] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.041] lstrlenW (lpString=".1cd") returned 4 [0041.041] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.041] lstrlenW (lpString=".jpg") returned 4 [0041.041] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.041] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0041.041] lstrlenW (lpString="Setup.xml") returned 9 [0041.041] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.074] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=16683) returned 1 [0041.074] CloseHandle (hObject=0x1f4) returned 1 [0041.074] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0041.074] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.074] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.074] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.074] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.074] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0041.075] GetLastError () returned 0x0 [0041.075] ReadFile (in: hFile=0x1f4, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x412b, lpOverlapped=0x0) returned 1 [0041.077] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0041.078] ReadFile (in: hFile=0x1f4, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.078] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.078] SetEndOfFile (hFile=0x1f8) returned 1 [0041.078] CloseHandle (hObject=0x1f8) returned 1 [0041.079] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.079] SetEndOfFile (hFile=0x1f4) returned 1 [0041.080] CloseHandle (hObject=0x1f4) returned 1 [0041.080] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.080] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0041.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.081] lstrlenW (lpString=".doc") returned 4 [0041.081] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.081] lstrlenW (lpString=".docx") returned 5 [0041.081] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0041.081] lstrlenW (lpString=".pdf") returned 4 [0041.081] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.081] lstrlenW (lpString=".xls") returned 4 [0041.081] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.081] lstrlenW (lpString=".xlsx") returned 5 [0041.081] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0041.081] lstrlenW (lpString=".ppt") returned 4 [0041.081] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.081] lstrlenW (lpString=".zip") returned 4 [0041.081] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.081] lstrlenW (lpString=".rar") returned 4 [0041.081] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.081] lstrlenW (lpString=".bz2") returned 4 [0041.081] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.081] lstrlenW (lpString=".7z") returned 3 [0041.081] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.081] lstrlenW (lpString=".dbf") returned 4 [0041.081] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.081] lstrlenW (lpString=".1cd") returned 4 [0041.081] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.082] lstrlenW (lpString=".jpg") returned 4 [0041.082] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.082] lstrlenW (lpString=".doc") returned 4 [0041.082] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString=".docx") returned 5 [0041.082] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0041.082] lstrlenW (lpString=".pdf") returned 4 [0041.082] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString=".xls") returned 4 [0041.082] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString=".xlsx") returned 5 [0041.082] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0041.082] lstrlenW (lpString=".ppt") returned 4 [0041.082] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.082] lstrlenW (lpString=".zip") returned 4 [0041.082] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.082] lstrlenW (lpString=".rar") returned 4 [0041.082] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString=".bz2") returned 4 [0041.082] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString=".7z") returned 3 [0041.082] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.082] lstrlenW (lpString=".dbf") returned 4 [0041.082] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.082] lstrlenW (lpString=".1cd") returned 4 [0041.082] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.082] lstrlenW (lpString=".jpg") returned 4 [0041.082] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.083] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0041.083] lstrlenW (lpString="Office32WW.xml") returned 14 [0041.083] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.084] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=4274) returned 1 [0041.084] CloseHandle (hObject=0x1f4) returned 1 [0041.084] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0041.084] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.084] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.084] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.084] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.084] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0041.084] GetLastError () returned 0x0 [0041.084] ReadFile (in: hFile=0x1f4, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0041.086] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0041.087] ReadFile (in: hFile=0x1f4, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.087] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0041.087] SetEndOfFile (hFile=0x1f8) returned 1 [0041.087] CloseHandle (hObject=0x1f8) returned 1 [0041.088] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.088] SetEndOfFile (hFile=0x1f4) returned 1 [0041.089] CloseHandle (hObject=0x1f4) returned 1 [0041.089] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.089] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0041.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.090] lstrlenW (lpString=".doc") returned 4 [0041.090] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString=".docx") returned 5 [0041.090] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.090] lstrlenW (lpString=".pdf") returned 4 [0041.090] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString=".xls") returned 4 [0041.090] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString=".xlsx") returned 5 [0041.090] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.090] lstrlenW (lpString=".ppt") returned 4 [0041.090] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.090] lstrlenW (lpString=".zip") returned 4 [0041.090] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.090] lstrlenW (lpString=".rar") returned 4 [0041.090] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString=".bz2") returned 4 [0041.090] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString=".7z") returned 3 [0041.090] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.090] lstrlenW (lpString=".dbf") returned 4 [0041.090] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.090] lstrlenW (lpString=".1cd") returned 4 [0041.090] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.090] lstrlenW (lpString=".jpg") returned 4 [0041.090] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.090] lstrlenW (lpString=".doc") returned 4 [0041.090] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.090] lstrlenW (lpString=".docx") returned 5 [0041.091] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.091] lstrlenW (lpString=".pdf") returned 4 [0041.091] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.091] lstrlenW (lpString=".xls") returned 4 [0041.091] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.091] lstrlenW (lpString=".xlsx") returned 5 [0041.091] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.091] lstrlenW (lpString=".ppt") returned 4 [0041.091] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.091] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.091] lstrlenW (lpString=".zip") returned 4 [0041.091] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.091] lstrlenW (lpString=".rar") returned 4 [0041.091] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.091] lstrlenW (lpString=".bz2") returned 4 [0041.091] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.091] lstrlenW (lpString=".7z") returned 3 [0041.091] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.091] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.091] lstrlenW (lpString=".dbf") returned 4 [0041.091] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.091] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.091] lstrlenW (lpString=".1cd") returned 4 [0041.091] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.091] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.091] lstrlenW (lpString=".jpg") returned 4 [0041.091] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.091] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0041.091] lstrlenW (lpString="Setup.xml") returned 9 [0041.091] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.092] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=20577) returned 1 [0041.092] CloseHandle (hObject=0x1f4) returned 1 [0041.092] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0041.092] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.092] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.092] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.092] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.092] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0041.092] GetLastError () returned 0x0 [0041.092] ReadFile (in: hFile=0x1f4, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x5061, lpOverlapped=0x0) returned 1 [0041.098] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0041.099] ReadFile (in: hFile=0x1f4, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.099] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.099] SetEndOfFile (hFile=0x1f8) returned 1 [0041.100] CloseHandle (hObject=0x1f8) returned 1 [0041.101] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.101] SetEndOfFile (hFile=0x1f4) returned 1 [0041.102] CloseHandle (hObject=0x1f4) returned 1 [0041.102] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.102] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0041.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.102] lstrlenW (lpString=".doc") returned 4 [0041.102] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.102] lstrlenW (lpString=".docx") returned 5 [0041.102] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0041.102] lstrlenW (lpString=".pdf") returned 4 [0041.102] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.102] lstrlenW (lpString=".xls") returned 4 [0041.102] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.102] lstrlenW (lpString=".xlsx") returned 5 [0041.102] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0041.102] lstrlenW (lpString=".ppt") returned 4 [0041.102] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.103] lstrlenW (lpString=".zip") returned 4 [0041.103] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.103] lstrlenW (lpString=".rar") returned 4 [0041.103] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString=".bz2") returned 4 [0041.103] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString=".7z") returned 3 [0041.103] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.103] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.103] lstrlenW (lpString=".dbf") returned 4 [0041.103] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.103] lstrlenW (lpString=".1cd") returned 4 [0041.103] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.103] lstrlenW (lpString=".jpg") returned 4 [0041.103] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.103] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.103] lstrlenW (lpString=".doc") returned 4 [0041.103] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString=".docx") returned 5 [0041.103] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0041.103] lstrlenW (lpString=".pdf") returned 4 [0041.103] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString=".xls") returned 4 [0041.103] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString=".xlsx") returned 5 [0041.103] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0041.103] lstrlenW (lpString=".ppt") returned 4 [0041.103] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.103] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.103] lstrlenW (lpString=".zip") returned 4 [0041.103] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.104] lstrlenW (lpString=".rar") returned 4 [0041.104] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.104] lstrlenW (lpString=".bz2") returned 4 [0041.104] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.104] lstrlenW (lpString=".7z") returned 3 [0041.104] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.104] lstrlenW (lpString=".dbf") returned 4 [0041.104] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.104] lstrlenW (lpString=".1cd") returned 4 [0041.104] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0041.104] lstrlenW (lpString=".jpg") returned 4 [0041.104] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.104] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0041.104] lstrlenW (lpString="VisiorWW.xml") returned 12 [0041.104] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0041.515] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=8723) returned 1 [0041.515] CloseHandle (hObject=0x194) returned 1 [0041.515] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 0x2020 [0041.515] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0041.515] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.515] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0041.515] GetLastError () returned 0x0 [0041.516] ReadFile (in: hFile=0x194, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x2213, lpOverlapped=0x0) returned 1 [0041.522] WriteFile (in: hFile=0x1e0, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0041.523] ReadFile (in: hFile=0x194, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.523] WriteFile (in: hFile=0x1e0, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0041.523] SetEndOfFile (hFile=0x1e0) returned 1 [0041.523] CloseHandle (hObject=0x1e0) returned 1 [0041.524] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.524] SetEndOfFile (hFile=0x194) returned 1 [0041.525] CloseHandle (hObject=0x194) returned 1 [0041.525] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.525] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0041.525] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.525] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.526] lstrlenW (lpString=".doc") returned 4 [0041.526] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.526] lstrlenW (lpString=".docx") returned 5 [0041.526] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.526] lstrlenW (lpString=".pdf") returned 4 [0041.526] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.526] lstrlenW (lpString=".xls") returned 4 [0041.526] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.526] lstrlenW (lpString=".xlsx") returned 5 [0041.526] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.526] lstrlenW (lpString=".ppt") returned 4 [0041.526] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.526] lstrlenW (lpString=".zip") returned 4 [0041.526] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.526] lstrlenW (lpString=".rar") returned 4 [0041.526] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.526] lstrlenW (lpString=".bz2") returned 4 [0041.526] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.526] lstrlenW (lpString=".7z") returned 3 [0041.526] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.527] lstrlenW (lpString=".dbf") returned 4 [0041.527] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.527] lstrlenW (lpString=".1cd") returned 4 [0041.527] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.527] lstrlenW (lpString=".jpg") returned 4 [0041.527] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.527] lstrlenW (lpString=".doc") returned 4 [0041.527] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.527] lstrlenW (lpString=".docx") returned 5 [0041.527] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.527] lstrlenW (lpString=".pdf") returned 4 [0041.527] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.527] lstrlenW (lpString=".xls") returned 4 [0041.527] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.527] lstrlenW (lpString=".xlsx") returned 5 [0041.527] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.528] lstrlenW (lpString=".ppt") returned 4 [0041.528] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.528] lstrlenW (lpString=".zip") returned 4 [0041.528] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.528] lstrlenW (lpString=".rar") returned 4 [0041.528] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.528] lstrlenW (lpString=".bz2") returned 4 [0041.528] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.528] lstrlenW (lpString=".7z") returned 3 [0041.528] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.528] lstrlenW (lpString=".dbf") returned 4 [0041.528] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.528] lstrlenW (lpString=".1cd") returned 4 [0041.528] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0041.528] lstrlenW (lpString=".jpg") returned 4 [0041.528] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.529] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0041.529] lstrlenW (lpString="boxed-join.avi") returned 14 [0041.529] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0042.662] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=33280) returned 1 [0042.662] CloseHandle (hObject=0x1a0) returned 1 [0042.663] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0042.663] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.663] lstrlenW (lpString=".doc") returned 4 [0042.663] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.663] lstrlenW (lpString=".docx") returned 5 [0042.663] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0042.663] lstrlenW (lpString=".pdf") returned 4 [0042.663] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.663] lstrlenW (lpString=".xls") returned 4 [0042.663] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.663] lstrlenW (lpString=".xlsx") returned 5 [0042.663] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0042.663] lstrlenW (lpString=".ppt") returned 4 [0042.663] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.663] lstrlenW (lpString=".zip") returned 4 [0042.663] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.663] lstrlenW (lpString=".rar") returned 4 [0042.663] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.663] lstrlenW (lpString=".bz2") returned 4 [0042.663] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.663] lstrlenW (lpString=".7z") returned 3 [0042.663] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.664] lstrlenW (lpString=".dbf") returned 4 [0042.664] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.664] lstrlenW (lpString=".1cd") returned 4 [0042.664] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.664] lstrlenW (lpString=".jpg") returned 4 [0042.664] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.664] lstrlenW (lpString=".doc") returned 4 [0042.664] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString=".docx") returned 5 [0042.664] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0042.664] lstrlenW (lpString=".pdf") returned 4 [0042.664] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString=".xls") returned 4 [0042.664] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString=".xlsx") returned 5 [0042.664] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0042.664] lstrlenW (lpString=".ppt") returned 4 [0042.664] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.664] lstrlenW (lpString=".zip") returned 4 [0042.664] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString=".rar") returned 4 [0042.664] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString=".bz2") returned 4 [0042.664] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString=".7z") returned 3 [0042.664] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.664] lstrlenW (lpString=".dbf") returned 4 [0042.664] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.665] lstrlenW (lpString=".1cd") returned 4 [0042.665] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0042.665] lstrlenW (lpString=".jpg") returned 4 [0042.665] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.665] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.665] lstrlenW (lpString="main.xml") returned 8 [0042.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0042.665] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=38485) returned 1 [0042.665] CloseHandle (hObject=0x1a0) returned 1 [0042.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml")) returned 0x20 [0042.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.665] lstrlenW (lpString=".doc") returned 4 [0042.665] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString=".docx") returned 5 [0042.666] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0042.666] lstrlenW (lpString=".pdf") returned 4 [0042.666] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString=".xls") returned 4 [0042.666] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString=".xlsx") returned 5 [0042.666] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0042.666] lstrlenW (lpString=".ppt") returned 4 [0042.666] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.666] lstrlenW (lpString=".zip") returned 4 [0042.666] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.666] lstrlenW (lpString=".rar") returned 4 [0042.666] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString=".bz2") returned 4 [0042.666] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString=".7z") returned 3 [0042.666] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.666] lstrlenW (lpString=".dbf") returned 4 [0042.666] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.666] lstrlenW (lpString=".1cd") returned 4 [0042.666] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.666] lstrlenW (lpString=".jpg") returned 4 [0042.666] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.666] lstrlenW (lpString=".doc") returned 4 [0042.666] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.666] lstrlenW (lpString=".docx") returned 5 [0042.666] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0042.666] lstrlenW (lpString=".pdf") returned 4 [0042.666] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.667] lstrlenW (lpString=".xls") returned 4 [0042.667] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.667] lstrlenW (lpString=".xlsx") returned 5 [0042.667] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0042.667] lstrlenW (lpString=".ppt") returned 4 [0042.667] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.667] lstrlenW (lpString=".zip") returned 4 [0042.667] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.667] lstrlenW (lpString=".rar") returned 4 [0042.667] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.667] lstrlenW (lpString=".bz2") returned 4 [0042.667] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.667] lstrlenW (lpString=".7z") returned 3 [0042.667] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.667] lstrlenW (lpString=".dbf") returned 4 [0042.667] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.667] lstrlenW (lpString=".1cd") returned 4 [0042.667] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0042.667] lstrlenW (lpString=".jpg") returned 4 [0042.667] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.667] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.667] lstrlenW (lpString="numbase.xml") returned 11 [0042.667] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0042.845] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1218) returned 1 [0042.845] CloseHandle (hObject=0x1c4) returned 1 [0042.845] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml")) returned 0x20 [0042.845] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.846] lstrlenW (lpString=".doc") returned 4 [0042.846] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString=".docx") returned 5 [0042.846] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0042.846] lstrlenW (lpString=".pdf") returned 4 [0042.846] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString=".xls") returned 4 [0042.846] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString=".xlsx") returned 5 [0042.846] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0042.846] lstrlenW (lpString=".ppt") returned 4 [0042.846] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.846] lstrlenW (lpString=".zip") returned 4 [0042.846] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.846] lstrlenW (lpString=".rar") returned 4 [0042.846] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString=".bz2") returned 4 [0042.846] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString=".7z") returned 3 [0042.846] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.846] lstrlenW (lpString=".dbf") returned 4 [0042.846] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.846] lstrlenW (lpString=".1cd") returned 4 [0042.846] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.846] lstrlenW (lpString=".jpg") returned 4 [0042.846] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.847] lstrlenW (lpString=".doc") returned 4 [0042.847] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.847] lstrlenW (lpString=".docx") returned 5 [0042.847] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0042.847] lstrlenW (lpString=".pdf") returned 4 [0042.847] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.847] lstrlenW (lpString=".xls") returned 4 [0042.847] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.847] lstrlenW (lpString=".xlsx") returned 5 [0042.847] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0042.847] lstrlenW (lpString=".ppt") returned 4 [0042.847] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.847] lstrlenW (lpString=".zip") returned 4 [0042.847] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.847] lstrlenW (lpString=".rar") returned 4 [0042.847] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.847] lstrlenW (lpString=".bz2") returned 4 [0042.847] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.847] lstrlenW (lpString=".7z") returned 3 [0042.847] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.847] lstrlenW (lpString=".dbf") returned 4 [0042.847] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.847] lstrlenW (lpString=".1cd") returned 4 [0042.847] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0042.847] lstrlenW (lpString=".jpg") returned 4 [0042.847] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.847] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.848] lstrlenW (lpString="ipsdan.xml") returned 10 [0042.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.464] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=2514) returned 1 [0043.464] CloseHandle (hObject=0x1a0) returned 1 [0043.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml")) returned 0x20 [0043.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0043.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.465] lstrlenW (lpString=".doc") returned 4 [0043.465] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0043.465] lstrlenW (lpString=".docx") returned 5 [0043.465] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0043.465] lstrlenW (lpString=".pdf") returned 4 [0043.465] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0043.465] lstrlenW (lpString=".xls") returned 4 [0043.465] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0043.465] lstrlenW (lpString=".xlsx") returned 5 [0043.465] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0043.465] lstrlenW (lpString=".ppt") returned 4 [0043.465] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0043.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.465] lstrlenW (lpString=".zip") returned 4 [0043.465] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0043.465] lstrlenW (lpString=".rar") returned 4 [0043.465] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0043.465] lstrlenW (lpString=".bz2") returned 4 [0043.465] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0043.465] lstrlenW (lpString=".7z") returned 3 [0043.465] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0043.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.465] lstrlenW (lpString=".dbf") returned 4 [0043.465] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0043.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.465] lstrlenW (lpString=".1cd") returned 4 [0043.465] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0043.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.465] lstrlenW (lpString=".jpg") returned 4 [0043.466] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.466] lstrlenW (lpString=".doc") returned 4 [0043.466] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString=".docx") returned 5 [0043.466] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0043.466] lstrlenW (lpString=".pdf") returned 4 [0043.466] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString=".xls") returned 4 [0043.466] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString=".xlsx") returned 5 [0043.466] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0043.466] lstrlenW (lpString=".ppt") returned 4 [0043.466] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.466] lstrlenW (lpString=".zip") returned 4 [0043.466] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0043.466] lstrlenW (lpString=".rar") returned 4 [0043.466] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString=".bz2") returned 4 [0043.466] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString=".7z") returned 3 [0043.466] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0043.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.466] lstrlenW (lpString=".dbf") returned 4 [0043.466] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.466] lstrlenW (lpString=".1cd") returned 4 [0043.466] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0043.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0043.466] lstrlenW (lpString=".jpg") returned 4 [0043.466] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0043.467] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0043.467] lstrlenW (lpString="AccessMUI.XML") returned 13 [0043.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.467] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1349) returned 1 [0043.468] CloseHandle (hObject=0x1a0) returned 1 [0043.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 0x20 [0043.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0043.468] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.468] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.468] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.468] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0043.468] GetLastError () returned 0x0 [0043.468] ReadFile (in: hFile=0x1a0, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x545, lpOverlapped=0x0) returned 1 [0043.661] WriteFile (in: hFile=0x1c4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x550, lpOverlapped=0x0) returned 1 [0043.662] ReadFile (in: hFile=0x1a0, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.662] WriteFile (in: hFile=0x1c4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0043.663] SetEndOfFile (hFile=0x1c4) returned 1 [0043.663] CloseHandle (hObject=0x1c4) returned 1 [0043.663] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.663] SetEndOfFile (hFile=0x1a0) returned 1 [0043.664] CloseHandle (hObject=0x1a0) returned 1 [0043.664] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0043.665] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0044.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.233] lstrlenW (lpString=".doc") returned 4 [0044.233] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.233] lstrlenW (lpString=".docx") returned 5 [0044.233] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0044.233] lstrlenW (lpString=".pdf") returned 4 [0044.233] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.233] lstrlenW (lpString=".xls") returned 4 [0044.233] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.233] lstrlenW (lpString=".xlsx") returned 5 [0044.233] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0044.233] lstrlenW (lpString=".ppt") returned 4 [0044.233] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.233] lstrlenW (lpString=".zip") returned 4 [0044.233] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.233] lstrlenW (lpString=".rar") returned 4 [0044.233] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.233] lstrlenW (lpString=".bz2") returned 4 [0044.233] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.233] lstrlenW (lpString=".7z") returned 3 [0044.233] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.233] lstrlenW (lpString=".dbf") returned 4 [0044.233] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.233] lstrlenW (lpString=".1cd") returned 4 [0044.233] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.233] lstrlenW (lpString=".jpg") returned 4 [0044.233] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.234] lstrlenW (lpString=".doc") returned 4 [0044.234] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString=".docx") returned 5 [0044.234] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0044.234] lstrlenW (lpString=".pdf") returned 4 [0044.234] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString=".xls") returned 4 [0044.234] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString=".xlsx") returned 5 [0044.234] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0044.234] lstrlenW (lpString=".ppt") returned 4 [0044.234] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.234] lstrlenW (lpString=".zip") returned 4 [0044.234] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.234] lstrlenW (lpString=".rar") returned 4 [0044.234] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString=".bz2") returned 4 [0044.234] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString=".7z") returned 3 [0044.234] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.234] lstrlenW (lpString=".dbf") returned 4 [0044.234] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.234] lstrlenW (lpString=".1cd") returned 4 [0044.234] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0044.234] lstrlenW (lpString=".jpg") returned 4 [0044.234] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.235] lstrcmpiW (lpString1=".CHM", lpString2=".NcOv") returned -1 [0044.235] lstrlenW (lpString="OCT.CHM") returned 7 [0044.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.943] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=71236) returned 1 [0044.943] CloseHandle (hObject=0x188) returned 1 [0044.943] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 0x20 [0044.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0044.951] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.951] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.954] GetLastError () returned 0x0 [0044.964] ReadFile (in: hFile=0x1e8, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x11644, lpOverlapped=0x0) returned 1 [0044.985] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x11650, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x11650, lpOverlapped=0x0) returned 1 [0044.987] ReadFile (in: hFile=0x1e8, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.987] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0044.987] SetEndOfFile (hFile=0x1f8) returned 1 [0044.987] CloseHandle (hObject=0x1f8) returned 1 [0044.989] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.989] SetEndOfFile (hFile=0x1e8) returned 1 [0044.990] CloseHandle (hObject=0x1e8) returned 1 [0044.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.991] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 1 [0044.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.991] lstrlenW (lpString=".doc") returned 4 [0044.991] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0044.991] lstrlenW (lpString=".docx") returned 5 [0044.991] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0044.991] lstrlenW (lpString=".pdf") returned 4 [0044.991] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0044.991] lstrlenW (lpString=".xls") returned 4 [0044.992] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0044.992] lstrlenW (lpString=".xlsx") returned 5 [0044.992] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0044.992] lstrlenW (lpString=".ppt") returned 4 [0044.992] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0044.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.992] lstrlenW (lpString=".zip") returned 4 [0044.992] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0044.992] lstrlenW (lpString=".rar") returned 4 [0044.992] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0044.992] lstrlenW (lpString=".bz2") returned 4 [0044.992] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0044.992] lstrlenW (lpString=".7z") returned 3 [0044.992] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0044.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.992] lstrlenW (lpString=".dbf") returned 4 [0044.992] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0044.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.992] lstrlenW (lpString=".1cd") returned 4 [0044.992] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0044.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.992] lstrlenW (lpString=".jpg") returned 4 [0044.992] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0044.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.993] lstrlenW (lpString=".doc") returned 4 [0044.993] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0044.993] lstrlenW (lpString=".docx") returned 5 [0044.993] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0044.993] lstrlenW (lpString=".pdf") returned 4 [0044.993] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0044.993] lstrlenW (lpString=".xls") returned 4 [0044.993] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0044.993] lstrlenW (lpString=".xlsx") returned 5 [0044.993] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0044.993] lstrlenW (lpString=".ppt") returned 4 [0044.993] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0044.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.993] lstrlenW (lpString=".zip") returned 4 [0044.993] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0044.993] lstrlenW (lpString=".rar") returned 4 [0044.993] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0044.993] lstrlenW (lpString=".bz2") returned 4 [0044.993] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0044.993] lstrlenW (lpString=".7z") returned 3 [0044.993] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0044.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.993] lstrlenW (lpString=".dbf") returned 4 [0044.993] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0044.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.993] lstrlenW (lpString=".1cd") returned 4 [0044.993] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0044.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0044.994] lstrlenW (lpString=".jpg") returned 4 [0044.994] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0044.994] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.994] lstrlenW (lpString="SETUP.XML") returned 9 [0044.994] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.590] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1988) returned 1 [0046.590] CloseHandle (hObject=0x204) returned 1 [0046.590] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 0x20 [0046.590] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0046.590] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.590] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.590] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.590] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.591] GetLastError () returned 0x0 [0046.591] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0046.602] WriteFile (in: hFile=0x1dc, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0046.616] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.617] WriteFile (in: hFile=0x1dc, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.617] SetEndOfFile (hFile=0x1dc) returned 1 [0046.618] CloseHandle (hObject=0x1dc) returned 1 [0046.619] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.619] SetEndOfFile (hFile=0x204) returned 1 [0046.620] CloseHandle (hObject=0x204) returned 1 [0046.620] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0046.621] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0046.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.621] lstrlenW (lpString=".doc") returned 4 [0046.621] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.621] lstrlenW (lpString=".docx") returned 5 [0046.621] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0046.621] lstrlenW (lpString=".pdf") returned 4 [0046.621] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.621] lstrlenW (lpString=".xls") returned 4 [0046.621] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.621] lstrlenW (lpString=".xlsx") returned 5 [0046.621] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0046.621] lstrlenW (lpString=".ppt") returned 4 [0046.621] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.621] lstrlenW (lpString=".zip") returned 4 [0046.621] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.621] lstrlenW (lpString=".rar") returned 4 [0046.622] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.622] lstrlenW (lpString=".bz2") returned 4 [0046.622] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.622] lstrlenW (lpString=".7z") returned 3 [0046.622] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.622] lstrlenW (lpString=".dbf") returned 4 [0046.622] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.622] lstrlenW (lpString=".1cd") returned 4 [0046.622] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.622] lstrlenW (lpString=".jpg") returned 4 [0046.622] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.622] lstrlenW (lpString=".doc") returned 4 [0046.622] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.622] lstrlenW (lpString=".docx") returned 5 [0046.622] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0046.622] lstrlenW (lpString=".pdf") returned 4 [0046.622] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.622] lstrlenW (lpString=".xls") returned 4 [0046.622] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.622] lstrlenW (lpString=".xlsx") returned 5 [0046.622] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0046.622] lstrlenW (lpString=".ppt") returned 4 [0046.623] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.623] lstrlenW (lpString=".zip") returned 4 [0046.623] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.623] lstrlenW (lpString=".rar") returned 4 [0046.623] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.623] lstrlenW (lpString=".bz2") returned 4 [0046.623] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.623] lstrlenW (lpString=".7z") returned 3 [0046.623] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.623] lstrlenW (lpString=".dbf") returned 4 [0046.623] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.623] lstrlenW (lpString=".1cd") returned 4 [0046.623] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0046.623] lstrlenW (lpString=".jpg") returned 4 [0046.623] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.623] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0046.623] lstrlenW (lpString="DATES.XML") returned 9 [0046.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.624] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=8918) returned 1 [0046.624] CloseHandle (hObject=0x204) returned 1 [0046.624] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 0x20 [0046.624] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0046.624] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.624] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.624] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.624] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.641] GetLastError () returned 0x0 [0046.641] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x22d6, lpOverlapped=0x0) returned 1 [0046.643] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0046.644] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.644] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.645] SetEndOfFile (hFile=0x1f8) returned 1 [0046.645] CloseHandle (hObject=0x1f8) returned 1 [0046.647] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.647] SetEndOfFile (hFile=0x204) returned 1 [0046.648] CloseHandle (hObject=0x204) returned 1 [0046.648] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0046.649] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.649] lstrlenW (lpString=".doc") returned 4 [0046.649] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.649] lstrlenW (lpString=".docx") returned 5 [0046.649] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0046.649] lstrlenW (lpString=".pdf") returned 4 [0046.649] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.649] lstrlenW (lpString=".xls") returned 4 [0046.649] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.649] lstrlenW (lpString=".xlsx") returned 5 [0046.649] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0046.649] lstrlenW (lpString=".ppt") returned 4 [0046.649] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.649] lstrlenW (lpString=".zip") returned 4 [0046.649] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.649] lstrlenW (lpString=".rar") returned 4 [0046.649] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString=".bz2") returned 4 [0046.650] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString=".7z") returned 3 [0046.650] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.650] lstrlenW (lpString=".dbf") returned 4 [0046.650] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.650] lstrlenW (lpString=".1cd") returned 4 [0046.650] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.650] lstrlenW (lpString=".jpg") returned 4 [0046.650] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.650] lstrlenW (lpString=".doc") returned 4 [0046.650] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString=".docx") returned 5 [0046.650] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0046.650] lstrlenW (lpString=".pdf") returned 4 [0046.650] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString=".xls") returned 4 [0046.650] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString=".xlsx") returned 5 [0046.650] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0046.650] lstrlenW (lpString=".ppt") returned 4 [0046.650] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.651] lstrlenW (lpString=".zip") returned 4 [0046.651] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.651] lstrlenW (lpString=".rar") returned 4 [0046.651] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.651] lstrlenW (lpString=".bz2") returned 4 [0046.651] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.651] lstrlenW (lpString=".7z") returned 3 [0046.651] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.651] lstrlenW (lpString=".dbf") returned 4 [0046.651] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.651] lstrlenW (lpString=".1cd") returned 4 [0046.651] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0046.651] lstrlenW (lpString=".jpg") returned 4 [0046.651] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.651] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0046.651] lstrlenW (lpString="PHONE.XML") returned 9 [0046.651] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.652] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1844) returned 1 [0046.652] CloseHandle (hObject=0x204) returned 1 [0046.652] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 0x20 [0046.652] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0046.652] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.652] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.652] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.652] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.653] GetLastError () returned 0x0 [0046.653] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x734, lpOverlapped=0x0) returned 1 [0046.655] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x740, lpOverlapped=0x0) returned 1 [0046.656] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.656] WriteFile (in: hFile=0x1f8, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.656] SetEndOfFile (hFile=0x1f8) returned 1 [0046.656] CloseHandle (hObject=0x1f8) returned 1 [0046.658] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.658] SetEndOfFile (hFile=0x204) returned 1 [0046.659] CloseHandle (hObject=0x204) returned 1 [0046.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0046.659] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0046.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.660] lstrlenW (lpString=".doc") returned 4 [0046.660] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.660] lstrlenW (lpString=".docx") returned 5 [0046.660] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0046.660] lstrlenW (lpString=".pdf") returned 4 [0046.660] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.660] lstrlenW (lpString=".xls") returned 4 [0046.660] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.660] lstrlenW (lpString=".xlsx") returned 5 [0046.660] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0046.660] lstrlenW (lpString=".ppt") returned 4 [0046.660] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.660] lstrlenW (lpString=".zip") returned 4 [0046.660] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.660] lstrlenW (lpString=".rar") returned 4 [0046.660] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.660] lstrlenW (lpString=".bz2") returned 4 [0046.660] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.660] lstrlenW (lpString=".7z") returned 3 [0046.660] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.660] lstrlenW (lpString=".dbf") returned 4 [0046.660] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.660] lstrlenW (lpString=".1cd") returned 4 [0046.660] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.661] lstrlenW (lpString=".jpg") returned 4 [0046.661] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.661] lstrlenW (lpString=".doc") returned 4 [0046.661] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0046.661] lstrlenW (lpString=".docx") returned 5 [0046.661] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0046.661] lstrlenW (lpString=".pdf") returned 4 [0046.661] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0046.661] lstrlenW (lpString=".xls") returned 4 [0046.661] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0046.661] lstrlenW (lpString=".xlsx") returned 5 [0046.661] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0046.661] lstrlenW (lpString=".ppt") returned 4 [0046.661] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0046.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.661] lstrlenW (lpString=".zip") returned 4 [0046.661] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0046.661] lstrlenW (lpString=".rar") returned 4 [0046.661] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0046.661] lstrlenW (lpString=".bz2") returned 4 [0046.661] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0046.661] lstrlenW (lpString=".7z") returned 3 [0046.661] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0046.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.661] lstrlenW (lpString=".dbf") returned 4 [0046.661] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0046.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.662] lstrlenW (lpString=".1cd") returned 4 [0046.662] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0046.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0046.662] lstrlenW (lpString=".jpg") returned 4 [0046.662] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0046.662] lstrcmpiW (lpString1=".DAT", lpString2=".NcOv") returned -1 [0046.662] lstrlenW (lpString="STOCKS.DAT") returned 10 [0046.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.701] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=39017) returned 1 [0047.701] CloseHandle (hObject=0x208) returned 1 [0047.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 0x20 [0047.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.701] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.701] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.701] GetLastError () returned 0x0 [0047.701] ReadFile (in: hFile=0x208, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x9869, lpOverlapped=0x0) returned 1 [0047.704] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x9870, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x9870, lpOverlapped=0x0) returned 1 [0047.705] ReadFile (in: hFile=0x208, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.705] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0047.705] SetEndOfFile (hFile=0x1ec) returned 1 [0047.705] CloseHandle (hObject=0x1ec) returned 1 [0047.706] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.706] SetEndOfFile (hFile=0x208) returned 1 [0047.707] CloseHandle (hObject=0x208) returned 1 [0047.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0047.707] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 1 [0047.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.707] lstrlenW (lpString=".doc") returned 4 [0047.707] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0047.707] lstrlenW (lpString=".docx") returned 5 [0047.707] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0047.707] lstrlenW (lpString=".pdf") returned 4 [0047.707] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0047.707] lstrlenW (lpString=".xls") returned 4 [0047.707] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0047.707] lstrlenW (lpString=".xlsx") returned 5 [0047.707] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0047.707] lstrlenW (lpString=".ppt") returned 4 [0047.707] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0047.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.707] lstrlenW (lpString=".zip") returned 4 [0047.707] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString=".rar") returned 4 [0047.708] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString=".bz2") returned 4 [0047.708] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0047.708] lstrlenW (lpString=".7z") returned 3 [0047.708] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0047.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.708] lstrlenW (lpString=".dbf") returned 4 [0047.708] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.708] lstrlenW (lpString=".1cd") returned 4 [0047.708] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0047.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.708] lstrlenW (lpString=".jpg") returned 4 [0047.708] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.708] lstrlenW (lpString=".doc") returned 4 [0047.708] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString=".docx") returned 5 [0047.708] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0047.708] lstrlenW (lpString=".pdf") returned 4 [0047.708] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString=".xls") returned 4 [0047.708] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString=".xlsx") returned 5 [0047.708] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0047.708] lstrlenW (lpString=".ppt") returned 4 [0047.708] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.708] lstrlenW (lpString=".zip") returned 4 [0047.708] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString=".rar") returned 4 [0047.708] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0047.708] lstrlenW (lpString=".bz2") returned 4 [0047.708] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0047.709] lstrlenW (lpString=".7z") returned 3 [0047.709] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0047.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.709] lstrlenW (lpString=".dbf") returned 4 [0047.709] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0047.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.709] lstrlenW (lpString=".1cd") returned 4 [0047.709] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0047.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0047.709] lstrlenW (lpString=".jpg") returned 4 [0047.709] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0047.709] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0047.709] lstrlenW (lpString="TIME.XML") returned 8 [0047.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.709] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=8564) returned 1 [0047.709] CloseHandle (hObject=0x208) returned 1 [0047.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 0x20 [0047.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.710] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.710] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.710] GetLastError () returned 0x0 [0047.710] ReadFile (in: hFile=0x208, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x2174, lpOverlapped=0x0) returned 1 [0047.712] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0047.713] ReadFile (in: hFile=0x208, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.713] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0047.713] SetEndOfFile (hFile=0x1ec) returned 1 [0047.714] CloseHandle (hObject=0x1ec) returned 1 [0047.714] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.714] SetEndOfFile (hFile=0x208) returned 1 [0047.715] CloseHandle (hObject=0x208) returned 1 [0047.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0047.715] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0047.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.715] lstrlenW (lpString=".doc") returned 4 [0047.715] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0047.715] lstrlenW (lpString=".docx") returned 5 [0047.716] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0047.716] lstrlenW (lpString=".pdf") returned 4 [0047.716] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString=".xls") returned 4 [0047.716] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString=".xlsx") returned 5 [0047.716] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0047.716] lstrlenW (lpString=".ppt") returned 4 [0047.716] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.716] lstrlenW (lpString=".zip") returned 4 [0047.716] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0047.716] lstrlenW (lpString=".rar") returned 4 [0047.716] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString=".bz2") returned 4 [0047.716] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString=".7z") returned 3 [0047.716] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0047.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.716] lstrlenW (lpString=".dbf") returned 4 [0047.716] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.716] lstrlenW (lpString=".1cd") returned 4 [0047.716] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.716] lstrlenW (lpString=".jpg") returned 4 [0047.716] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.716] lstrlenW (lpString=".doc") returned 4 [0047.716] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0047.716] lstrlenW (lpString=".docx") returned 5 [0047.716] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0047.716] lstrlenW (lpString=".pdf") returned 4 [0047.717] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0047.717] lstrlenW (lpString=".xls") returned 4 [0047.717] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0047.717] lstrlenW (lpString=".xlsx") returned 5 [0047.717] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0047.717] lstrlenW (lpString=".ppt") returned 4 [0047.717] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0047.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.717] lstrlenW (lpString=".zip") returned 4 [0047.717] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0047.717] lstrlenW (lpString=".rar") returned 4 [0047.717] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0047.717] lstrlenW (lpString=".bz2") returned 4 [0047.717] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0047.717] lstrlenW (lpString=".7z") returned 3 [0047.717] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0047.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.717] lstrlenW (lpString=".dbf") returned 4 [0047.717] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0047.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.717] lstrlenW (lpString=".1cd") returned 4 [0047.717] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0047.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0047.717] lstrlenW (lpString=".jpg") returned 4 [0047.717] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0047.717] lstrcmpiW (lpString1=".XSL", lpString2=".NcOv") returned 1 [0047.717] lstrlenW (lpString="BASMLA.XSL") returned 10 [0047.717] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.718] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=227311) returned 1 [0047.718] CloseHandle (hObject=0x208) returned 1 [0047.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 0x20 [0047.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.718] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.718] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.719] GetLastError () returned 0x0 [0047.719] ReadFile (in: hFile=0x208, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x377ef, lpOverlapped=0x0) returned 1 [0047.724] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x377f0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x377f0, lpOverlapped=0x0) returned 1 [0047.728] ReadFile (in: hFile=0x208, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.728] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0047.728] SetEndOfFile (hFile=0x1ec) returned 1 [0047.728] CloseHandle (hObject=0x1ec) returned 1 [0047.729] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.729] SetEndOfFile (hFile=0x208) returned 1 [0047.731] CloseHandle (hObject=0x208) returned 1 [0047.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0047.731] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 1 [0047.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.731] lstrlenW (lpString=".doc") returned 4 [0047.731] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0047.731] lstrlenW (lpString=".docx") returned 5 [0047.731] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0047.731] lstrlenW (lpString=".pdf") returned 4 [0047.731] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0047.731] lstrlenW (lpString=".xls") returned 4 [0047.731] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0047.731] lstrlenW (lpString=".xlsx") returned 5 [0047.731] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0047.731] lstrlenW (lpString=".ppt") returned 4 [0047.731] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.732] lstrlenW (lpString=".zip") returned 4 [0047.732] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0047.732] lstrlenW (lpString=".rar") returned 4 [0047.732] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString=".bz2") returned 4 [0047.732] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString=".7z") returned 3 [0047.732] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0047.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.732] lstrlenW (lpString=".dbf") returned 4 [0047.732] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.732] lstrlenW (lpString=".1cd") returned 4 [0047.732] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.732] lstrlenW (lpString=".jpg") returned 4 [0047.732] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.732] lstrlenW (lpString=".doc") returned 4 [0047.732] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString=".docx") returned 5 [0047.732] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0047.732] lstrlenW (lpString=".pdf") returned 4 [0047.732] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString=".xls") returned 4 [0047.732] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString=".xlsx") returned 5 [0047.732] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0047.732] lstrlenW (lpString=".ppt") returned 4 [0047.732] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0047.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.732] lstrlenW (lpString=".zip") returned 4 [0047.732] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0047.732] lstrlenW (lpString=".rar") returned 4 [0047.732] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0047.733] lstrlenW (lpString=".bz2") returned 4 [0047.733] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0047.733] lstrlenW (lpString=".7z") returned 3 [0047.733] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0047.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.733] lstrlenW (lpString=".dbf") returned 4 [0047.733] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0047.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.733] lstrlenW (lpString=".1cd") returned 4 [0047.733] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0047.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0047.733] lstrlenW (lpString=".jpg") returned 4 [0047.733] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0047.733] lstrcmpiW (lpString1=".TXT", lpString2=".NcOv") returned 1 [0047.733] lstrlenW (lpString="METCONV.TXT") returned 11 [0047.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.740] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1183416) returned 1 [0047.740] CloseHandle (hObject=0x194) returned 1 [0047.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 0x20 [0047.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.740] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.740] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.741] GetLastError () returned 0x0 [0047.741] ReadFile (in: hFile=0x194, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0048.062] WriteFile (in: hFile=0x204, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0048.079] ReadFile (in: hFile=0x194, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x20ec8, lpOverlapped=0x0) returned 1 [0048.890] WriteFile (in: hFile=0x204, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x20ed0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x20ed0, lpOverlapped=0x0) returned 1 [0048.895] ReadFile (in: hFile=0x194, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.895] WriteFile (in: hFile=0x204, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.895] SetEndOfFile (hFile=0x204) returned 1 [0048.895] CloseHandle (hObject=0x204) returned 1 [0048.896] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.896] SetEndOfFile (hFile=0x194) returned 1 [0048.897] CloseHandle (hObject=0x194) returned 1 [0048.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0048.898] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0048.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.900] lstrlenW (lpString=".doc") returned 4 [0048.900] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0048.900] lstrlenW (lpString=".docx") returned 5 [0048.900] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0048.900] lstrlenW (lpString=".pdf") returned 4 [0048.901] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0048.901] lstrlenW (lpString=".xls") returned 4 [0048.901] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0048.901] lstrlenW (lpString=".xlsx") returned 5 [0048.901] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0048.901] lstrlenW (lpString=".ppt") returned 4 [0048.901] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0048.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.901] lstrlenW (lpString=".zip") returned 4 [0048.901] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0048.901] lstrlenW (lpString=".rar") returned 4 [0048.901] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0048.901] lstrlenW (lpString=".bz2") returned 4 [0048.901] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0048.901] lstrlenW (lpString=".7z") returned 3 [0048.901] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0048.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.901] lstrlenW (lpString=".dbf") returned 4 [0048.901] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0048.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.901] lstrlenW (lpString=".1cd") returned 4 [0048.901] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0048.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.901] lstrlenW (lpString=".jpg") returned 4 [0048.901] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0048.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.901] lstrlenW (lpString=".doc") returned 4 [0048.901] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0048.901] lstrlenW (lpString=".docx") returned 5 [0048.901] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0048.902] lstrlenW (lpString=".pdf") returned 4 [0048.902] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0048.902] lstrlenW (lpString=".xls") returned 4 [0048.902] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0048.902] lstrlenW (lpString=".xlsx") returned 5 [0048.902] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0048.902] lstrlenW (lpString=".ppt") returned 4 [0048.902] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0048.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.902] lstrlenW (lpString=".zip") returned 4 [0048.902] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0048.902] lstrlenW (lpString=".rar") returned 4 [0048.902] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0048.902] lstrlenW (lpString=".bz2") returned 4 [0048.902] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0048.902] lstrlenW (lpString=".7z") returned 3 [0048.902] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0048.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.902] lstrlenW (lpString=".dbf") returned 4 [0048.902] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0048.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.902] lstrlenW (lpString=".1cd") returned 4 [0048.902] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0048.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0048.902] lstrlenW (lpString=".jpg") returned 4 [0048.902] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0048.902] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0048.902] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.924] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1560) returned 1 [0048.924] CloseHandle (hObject=0x200) returned 1 [0048.926] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 0x20 [0048.926] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0048.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.929] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.929] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.017] GetLastError () returned 0x0 [0049.017] ReadFile (in: hFile=0x200, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x618, lpOverlapped=0x0) returned 1 [0049.043] WriteFile (in: hFile=0x1c4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x620, lpOverlapped=0x0) returned 1 [0049.044] ReadFile (in: hFile=0x200, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.044] WriteFile (in: hFile=0x1c4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.044] SetEndOfFile (hFile=0x1c4) returned 1 [0049.044] CloseHandle (hObject=0x1c4) returned 1 [0049.044] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.044] SetEndOfFile (hFile=0x200) returned 1 [0049.045] CloseHandle (hObject=0x200) returned 1 [0049.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.045] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 1 [0049.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.046] lstrlenW (lpString=".doc") returned 4 [0049.046] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.046] lstrlenW (lpString=".docx") returned 5 [0049.046] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.046] lstrlenW (lpString=".pdf") returned 4 [0049.046] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.046] lstrlenW (lpString=".xls") returned 4 [0049.046] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.046] lstrlenW (lpString=".xlsx") returned 5 [0049.046] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.046] lstrlenW (lpString=".ppt") returned 4 [0049.046] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.046] lstrlenW (lpString=".zip") returned 4 [0049.046] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.046] lstrlenW (lpString=".rar") returned 4 [0049.046] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.046] lstrlenW (lpString=".bz2") returned 4 [0049.046] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.046] lstrlenW (lpString=".7z") returned 3 [0049.046] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.046] lstrlenW (lpString=".dbf") returned 4 [0049.046] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.047] lstrlenW (lpString=".1cd") returned 4 [0049.047] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.047] lstrlenW (lpString=".jpg") returned 4 [0049.047] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.047] lstrlenW (lpString=".doc") returned 4 [0049.047] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.047] lstrlenW (lpString=".docx") returned 5 [0049.047] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.047] lstrlenW (lpString=".pdf") returned 4 [0049.047] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.047] lstrlenW (lpString=".xls") returned 4 [0049.047] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.047] lstrlenW (lpString=".xlsx") returned 5 [0049.047] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.047] lstrlenW (lpString=".ppt") returned 4 [0049.047] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.047] lstrlenW (lpString=".zip") returned 4 [0049.047] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.047] lstrlenW (lpString=".rar") returned 4 [0049.047] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.047] lstrlenW (lpString=".bz2") returned 4 [0049.047] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.047] lstrlenW (lpString=".7z") returned 3 [0049.047] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.047] lstrlenW (lpString=".dbf") returned 4 [0049.048] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.048] lstrlenW (lpString=".1cd") returned 4 [0049.048] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0049.048] lstrlenW (lpString=".jpg") returned 4 [0049.048] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.048] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0049.048] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.048] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=33009) returned 1 [0049.048] CloseHandle (hObject=0x200) returned 1 [0049.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 0x20 [0049.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.049] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.049] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.049] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.049] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.049] GetLastError () returned 0x0 [0049.049] ReadFile (in: hFile=0x200, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x80f1, lpOverlapped=0x0) returned 1 [0049.139] WriteFile (in: hFile=0x1c4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x8100, lpOverlapped=0x0) returned 1 [0049.142] ReadFile (in: hFile=0x200, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.142] WriteFile (in: hFile=0x1c4, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.142] SetEndOfFile (hFile=0x1c4) returned 1 [0049.143] CloseHandle (hObject=0x1c4) returned 1 [0049.143] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.143] SetEndOfFile (hFile=0x200) returned 1 [0049.146] CloseHandle (hObject=0x200) returned 1 [0049.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.360] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0049.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.361] lstrlenW (lpString=".doc") returned 4 [0049.361] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.361] lstrlenW (lpString=".docx") returned 5 [0049.361] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.361] lstrlenW (lpString=".pdf") returned 4 [0049.361] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.361] lstrlenW (lpString=".xls") returned 4 [0049.361] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.361] lstrlenW (lpString=".xlsx") returned 5 [0049.361] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.361] lstrlenW (lpString=".ppt") returned 4 [0049.361] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.361] lstrlenW (lpString=".zip") returned 4 [0049.361] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.361] lstrlenW (lpString=".rar") returned 4 [0049.361] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.361] lstrlenW (lpString=".bz2") returned 4 [0049.361] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.361] lstrlenW (lpString=".7z") returned 3 [0049.361] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.361] lstrlenW (lpString=".dbf") returned 4 [0049.361] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.361] lstrlenW (lpString=".1cd") returned 4 [0049.361] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.362] lstrlenW (lpString=".jpg") returned 4 [0049.362] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.362] lstrlenW (lpString=".doc") returned 4 [0049.362] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.362] lstrlenW (lpString=".docx") returned 5 [0049.362] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.362] lstrlenW (lpString=".pdf") returned 4 [0049.362] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.362] lstrlenW (lpString=".xls") returned 4 [0049.362] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.362] lstrlenW (lpString=".xlsx") returned 5 [0049.362] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.362] lstrlenW (lpString=".ppt") returned 4 [0049.362] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.362] lstrlenW (lpString=".zip") returned 4 [0049.362] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.362] lstrlenW (lpString=".rar") returned 4 [0049.362] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.362] lstrlenW (lpString=".bz2") returned 4 [0049.362] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.362] lstrlenW (lpString=".7z") returned 3 [0049.362] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.362] lstrlenW (lpString=".dbf") returned 4 [0049.363] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.363] lstrlenW (lpString=".1cd") returned 4 [0049.363] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0049.363] lstrlenW (lpString=".jpg") returned 4 [0049.363] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.363] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0049.363] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.364] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=29925) returned 1 [0049.364] CloseHandle (hObject=0x200) returned 1 [0049.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 0x20 [0049.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.376] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.376] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.376] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0049.388] GetLastError () returned 0x0 [0049.389] ReadFile (in: hFile=0x200, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x74e5, lpOverlapped=0x0) returned 1 [0049.399] WriteFile (in: hFile=0x188, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x74f0, lpOverlapped=0x0) returned 1 [0049.400] ReadFile (in: hFile=0x200, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.400] WriteFile (in: hFile=0x188, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.401] SetEndOfFile (hFile=0x188) returned 1 [0049.401] CloseHandle (hObject=0x188) returned 1 [0049.401] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.401] SetEndOfFile (hFile=0x200) returned 1 [0049.402] CloseHandle (hObject=0x200) returned 1 [0049.402] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.403] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0049.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.403] lstrlenW (lpString=".doc") returned 4 [0049.403] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.403] lstrlenW (lpString=".docx") returned 5 [0049.403] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.403] lstrlenW (lpString=".pdf") returned 4 [0049.403] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.403] lstrlenW (lpString=".xls") returned 4 [0049.403] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.403] lstrlenW (lpString=".xlsx") returned 5 [0049.403] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.403] lstrlenW (lpString=".ppt") returned 4 [0049.403] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.403] lstrlenW (lpString=".zip") returned 4 [0049.403] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.403] lstrlenW (lpString=".rar") returned 4 [0049.404] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.404] lstrlenW (lpString=".bz2") returned 4 [0049.404] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.404] lstrlenW (lpString=".7z") returned 3 [0049.404] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.404] lstrlenW (lpString=".dbf") returned 4 [0049.404] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.404] lstrlenW (lpString=".1cd") returned 4 [0049.404] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.404] lstrlenW (lpString=".jpg") returned 4 [0049.404] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.404] lstrlenW (lpString=".doc") returned 4 [0049.404] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.404] lstrlenW (lpString=".docx") returned 5 [0049.404] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.404] lstrlenW (lpString=".pdf") returned 4 [0049.404] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.404] lstrlenW (lpString=".xls") returned 4 [0049.404] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.404] lstrlenW (lpString=".xlsx") returned 5 [0049.404] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.404] lstrlenW (lpString=".ppt") returned 4 [0049.405] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.405] lstrlenW (lpString=".zip") returned 4 [0049.405] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.405] lstrlenW (lpString=".rar") returned 4 [0049.405] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.405] lstrlenW (lpString=".bz2") returned 4 [0049.405] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.405] lstrlenW (lpString=".7z") returned 3 [0049.405] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.405] lstrlenW (lpString=".dbf") returned 4 [0049.405] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.405] lstrlenW (lpString=".1cd") returned 4 [0049.405] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0049.405] lstrlenW (lpString=".jpg") returned 4 [0049.405] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.940] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0049.940] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0049.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.940] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=1293) returned 1 [0049.941] CloseHandle (hObject=0x204) returned 1 [0049.941] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 0x20 [0049.941] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.941] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.941] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.947] GetLastError () returned 0x0 [0049.948] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x50d, lpOverlapped=0x0) returned 1 [0049.951] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x510, lpOverlapped=0x0) returned 1 [0049.953] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.953] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.953] SetEndOfFile (hFile=0x1ec) returned 1 [0049.953] CloseHandle (hObject=0x1ec) returned 1 [0049.953] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.953] SetEndOfFile (hFile=0x204) returned 1 [0049.954] CloseHandle (hObject=0x204) returned 1 [0049.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.955] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 1 [0049.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.955] lstrlenW (lpString=".doc") returned 4 [0049.955] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.955] lstrlenW (lpString=".docx") returned 5 [0049.955] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.955] lstrlenW (lpString=".pdf") returned 4 [0049.955] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.955] lstrlenW (lpString=".xls") returned 4 [0049.955] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.955] lstrlenW (lpString=".xlsx") returned 5 [0049.956] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.956] lstrlenW (lpString=".ppt") returned 4 [0049.956] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.956] lstrlenW (lpString=".zip") returned 4 [0049.956] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.956] lstrlenW (lpString=".rar") returned 4 [0049.956] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.956] lstrlenW (lpString=".bz2") returned 4 [0049.956] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.956] lstrlenW (lpString=".7z") returned 3 [0049.956] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.956] lstrlenW (lpString=".dbf") returned 4 [0049.956] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.956] lstrlenW (lpString=".1cd") returned 4 [0049.956] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.956] lstrlenW (lpString=".jpg") returned 4 [0049.956] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.956] lstrlenW (lpString=".doc") returned 4 [0049.956] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.956] lstrlenW (lpString=".docx") returned 5 [0049.957] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.957] lstrlenW (lpString=".pdf") returned 4 [0049.957] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.957] lstrlenW (lpString=".xls") returned 4 [0049.957] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.957] lstrlenW (lpString=".xlsx") returned 5 [0049.957] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.957] lstrlenW (lpString=".ppt") returned 4 [0049.957] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.957] lstrlenW (lpString=".zip") returned 4 [0049.957] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.957] lstrlenW (lpString=".rar") returned 4 [0049.957] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.957] lstrlenW (lpString=".bz2") returned 4 [0049.957] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.957] lstrlenW (lpString=".7z") returned 3 [0049.957] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.957] lstrlenW (lpString=".dbf") returned 4 [0049.957] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.957] lstrlenW (lpString=".1cd") returned 4 [0049.957] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0049.957] lstrlenW (lpString=".jpg") returned 4 [0049.957] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.958] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0049.958] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.958] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=28595) returned 1 [0049.958] CloseHandle (hObject=0x204) returned 1 [0049.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 0x20 [0049.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.959] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.959] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.959] GetLastError () returned 0x0 [0049.959] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x6fb3, lpOverlapped=0x0) returned 1 [0049.962] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x6fc0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x6fc0, lpOverlapped=0x0) returned 1 [0049.964] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.964] WriteFile (in: hFile=0x1ec, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.964] SetEndOfFile (hFile=0x1ec) returned 1 [0049.965] CloseHandle (hObject=0x1ec) returned 1 [0049.965] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.965] SetEndOfFile (hFile=0x204) returned 1 [0049.966] CloseHandle (hObject=0x204) returned 1 [0049.966] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.966] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 1 [0049.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.967] lstrlenW (lpString=".doc") returned 4 [0049.967] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.967] lstrlenW (lpString=".docx") returned 5 [0049.967] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.967] lstrlenW (lpString=".pdf") returned 4 [0049.967] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.967] lstrlenW (lpString=".xls") returned 4 [0049.967] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.967] lstrlenW (lpString=".xlsx") returned 5 [0049.967] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.967] lstrlenW (lpString=".ppt") returned 4 [0049.967] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.967] lstrlenW (lpString=".zip") returned 4 [0049.967] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.967] lstrlenW (lpString=".rar") returned 4 [0049.967] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.967] lstrlenW (lpString=".bz2") returned 4 [0049.967] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.967] lstrlenW (lpString=".7z") returned 3 [0049.967] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.967] lstrlenW (lpString=".dbf") returned 4 [0049.968] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.968] lstrlenW (lpString=".1cd") returned 4 [0049.968] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.968] lstrlenW (lpString=".jpg") returned 4 [0049.968] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.968] lstrlenW (lpString=".doc") returned 4 [0049.968] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.968] lstrlenW (lpString=".docx") returned 5 [0049.968] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.968] lstrlenW (lpString=".pdf") returned 4 [0049.968] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.968] lstrlenW (lpString=".xls") returned 4 [0049.968] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.968] lstrlenW (lpString=".xlsx") returned 5 [0049.968] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.968] lstrlenW (lpString=".ppt") returned 4 [0049.968] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.968] lstrlenW (lpString=".zip") returned 4 [0049.968] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.968] lstrlenW (lpString=".rar") returned 4 [0049.968] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.968] lstrlenW (lpString=".bz2") returned 4 [0049.969] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.969] lstrlenW (lpString=".7z") returned 3 [0049.969] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.969] lstrlenW (lpString=".dbf") returned 4 [0049.969] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.969] lstrlenW (lpString=".1cd") returned 4 [0049.969] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0049.969] lstrlenW (lpString=".jpg") returned 4 [0049.969] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.969] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0049.969] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0049.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.970] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=3957) returned 1 [0049.970] CloseHandle (hObject=0x204) returned 1 [0049.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 0x20 [0049.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.970] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.970] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.970] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.970] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.976] GetLastError () returned 0x0 [0049.976] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0xf75, lpOverlapped=0x0) returned 1 [0049.978] WriteFile (in: hFile=0x210, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0049.979] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.980] WriteFile (in: hFile=0x210, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.980] SetEndOfFile (hFile=0x210) returned 1 [0049.980] CloseHandle (hObject=0x210) returned 1 [0049.980] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.980] SetEndOfFile (hFile=0x204) returned 1 [0049.981] CloseHandle (hObject=0x204) returned 1 [0049.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.982] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 1 [0049.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.982] lstrlenW (lpString=".doc") returned 4 [0049.982] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.982] lstrlenW (lpString=".docx") returned 5 [0049.982] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.982] lstrlenW (lpString=".pdf") returned 4 [0049.982] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.982] lstrlenW (lpString=".xls") returned 4 [0049.982] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.982] lstrlenW (lpString=".xlsx") returned 5 [0049.982] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.982] lstrlenW (lpString=".ppt") returned 4 [0049.982] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.983] lstrlenW (lpString=".zip") returned 4 [0049.983] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.983] lstrlenW (lpString=".rar") returned 4 [0049.983] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.983] lstrlenW (lpString=".bz2") returned 4 [0049.983] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.983] lstrlenW (lpString=".7z") returned 3 [0049.983] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.983] lstrlenW (lpString=".dbf") returned 4 [0049.983] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.983] lstrlenW (lpString=".1cd") returned 4 [0049.983] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.983] lstrlenW (lpString=".jpg") returned 4 [0049.983] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.983] lstrlenW (lpString=".doc") returned 4 [0049.983] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.983] lstrlenW (lpString=".docx") returned 5 [0049.983] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.983] lstrlenW (lpString=".pdf") returned 4 [0049.983] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.983] lstrlenW (lpString=".xls") returned 4 [0049.983] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.984] lstrlenW (lpString=".xlsx") returned 5 [0049.984] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.984] lstrlenW (lpString=".ppt") returned 4 [0049.984] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.984] lstrlenW (lpString=".zip") returned 4 [0049.984] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.984] lstrlenW (lpString=".rar") returned 4 [0049.984] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.984] lstrlenW (lpString=".bz2") returned 4 [0049.984] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.984] lstrlenW (lpString=".7z") returned 3 [0049.984] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.984] lstrlenW (lpString=".dbf") returned 4 [0049.984] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.984] lstrlenW (lpString=".1cd") returned 4 [0049.984] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0049.984] lstrlenW (lpString=".jpg") returned 4 [0049.984] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.984] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0049.984] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0050.621] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=33277) returned 1 [0050.621] CloseHandle (hObject=0x1f8) returned 1 [0050.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 0x20 [0050.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0050.622] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.622] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.622] GetLastError () returned 0x0 [0050.622] ReadFile (in: hFile=0x1f8, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x81fd, lpOverlapped=0x0) returned 1 [0050.661] WriteFile (in: hFile=0x1dc, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x8200, lpOverlapped=0x0) returned 1 [0050.663] ReadFile (in: hFile=0x1f8, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.663] WriteFile (in: hFile=0x1dc, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.663] SetEndOfFile (hFile=0x1dc) returned 1 [0050.663] CloseHandle (hObject=0x1dc) returned 1 [0050.663] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.663] SetEndOfFile (hFile=0x1f8) returned 1 [0050.665] CloseHandle (hObject=0x1f8) returned 1 [0050.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.665] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 1 [0050.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.665] lstrlenW (lpString=".doc") returned 4 [0050.665] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.665] lstrlenW (lpString=".docx") returned 5 [0050.666] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.666] lstrlenW (lpString=".pdf") returned 4 [0050.666] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.666] lstrlenW (lpString=".xls") returned 4 [0050.666] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.666] lstrlenW (lpString=".xlsx") returned 5 [0050.666] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.666] lstrlenW (lpString=".ppt") returned 4 [0050.666] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.666] lstrlenW (lpString=".zip") returned 4 [0050.666] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.666] lstrlenW (lpString=".rar") returned 4 [0050.666] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.666] lstrlenW (lpString=".bz2") returned 4 [0050.666] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.666] lstrlenW (lpString=".7z") returned 3 [0050.666] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.666] lstrlenW (lpString=".dbf") returned 4 [0050.666] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.666] lstrlenW (lpString=".1cd") returned 4 [0050.666] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.666] lstrlenW (lpString=".jpg") returned 4 [0050.666] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.667] lstrlenW (lpString=".doc") returned 4 [0050.667] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.667] lstrlenW (lpString=".docx") returned 5 [0050.667] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.667] lstrlenW (lpString=".pdf") returned 4 [0050.667] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.667] lstrlenW (lpString=".xls") returned 4 [0050.667] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.667] lstrlenW (lpString=".xlsx") returned 5 [0050.667] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.667] lstrlenW (lpString=".ppt") returned 4 [0050.667] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.667] lstrlenW (lpString=".zip") returned 4 [0050.667] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.667] lstrlenW (lpString=".rar") returned 4 [0050.667] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.667] lstrlenW (lpString=".bz2") returned 4 [0050.667] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.667] lstrlenW (lpString=".7z") returned 3 [0050.667] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.667] lstrlenW (lpString=".dbf") returned 4 [0050.667] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.667] lstrlenW (lpString=".1cd") returned 4 [0050.667] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0050.668] lstrlenW (lpString=".jpg") returned 4 [0050.668] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.668] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0050.668] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0050.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.676] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=18817) returned 1 [0050.676] CloseHandle (hObject=0x1dc) returned 1 [0050.676] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 0x20 [0050.676] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.677] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.677] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.677] GetLastError () returned 0x0 [0050.677] ReadFile (in: hFile=0x1dc, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x4981, lpOverlapped=0x0) returned 1 [0050.735] WriteFile (in: hFile=0x188, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x4990, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x4990, lpOverlapped=0x0) returned 1 [0050.736] ReadFile (in: hFile=0x1dc, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.737] WriteFile (in: hFile=0x188, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.737] SetEndOfFile (hFile=0x188) returned 1 [0050.737] CloseHandle (hObject=0x188) returned 1 [0050.737] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.737] SetEndOfFile (hFile=0x1dc) returned 1 [0050.739] CloseHandle (hObject=0x1dc) returned 1 [0050.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.739] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 1 [0050.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.739] lstrlenW (lpString=".doc") returned 4 [0050.740] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.740] lstrlenW (lpString=".docx") returned 5 [0050.740] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.740] lstrlenW (lpString=".pdf") returned 4 [0050.740] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.740] lstrlenW (lpString=".xls") returned 4 [0050.740] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.740] lstrlenW (lpString=".xlsx") returned 5 [0050.740] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.740] lstrlenW (lpString=".ppt") returned 4 [0050.740] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.740] lstrlenW (lpString=".zip") returned 4 [0050.740] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.740] lstrlenW (lpString=".rar") returned 4 [0050.740] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.740] lstrlenW (lpString=".bz2") returned 4 [0050.740] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.740] lstrlenW (lpString=".7z") returned 3 [0050.740] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.740] lstrlenW (lpString=".dbf") returned 4 [0050.740] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.740] lstrlenW (lpString=".1cd") returned 4 [0050.740] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.741] lstrlenW (lpString=".jpg") returned 4 [0050.741] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.741] lstrlenW (lpString=".doc") returned 4 [0050.741] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.741] lstrlenW (lpString=".docx") returned 5 [0050.741] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.741] lstrlenW (lpString=".pdf") returned 4 [0050.741] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.741] lstrlenW (lpString=".xls") returned 4 [0050.741] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.741] lstrlenW (lpString=".xlsx") returned 5 [0050.741] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.741] lstrlenW (lpString=".ppt") returned 4 [0050.741] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.741] lstrlenW (lpString=".zip") returned 4 [0050.741] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.741] lstrlenW (lpString=".rar") returned 4 [0050.741] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.741] lstrlenW (lpString=".bz2") returned 4 [0050.741] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.742] lstrlenW (lpString=".7z") returned 3 [0050.742] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.742] lstrlenW (lpString=".dbf") returned 4 [0050.742] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.742] lstrlenW (lpString=".1cd") returned 4 [0050.742] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0050.742] lstrlenW (lpString=".jpg") returned 4 [0050.742] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.742] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0050.742] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0050.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.153] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=19485) returned 1 [0051.153] CloseHandle (hObject=0x220) returned 1 [0051.153] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 0x20 [0051.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.154] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.154] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0051.154] GetLastError () returned 0x0 [0051.154] ReadFile (in: hFile=0x220, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x4c1d, lpOverlapped=0x0) returned 1 [0051.156] WriteFile (in: hFile=0x224, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0051.157] ReadFile (in: hFile=0x220, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.157] WriteFile (in: hFile=0x224, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.157] SetEndOfFile (hFile=0x224) returned 1 [0051.157] CloseHandle (hObject=0x224) returned 1 [0051.158] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.158] SetEndOfFile (hFile=0x220) returned 1 [0051.159] CloseHandle (hObject=0x220) returned 1 [0051.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.159] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 1 [0051.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.159] lstrlenW (lpString=".doc") returned 4 [0051.159] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.159] lstrlenW (lpString=".docx") returned 5 [0051.159] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.159] lstrlenW (lpString=".pdf") returned 4 [0051.159] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.159] lstrlenW (lpString=".xls") returned 4 [0051.160] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.160] lstrlenW (lpString=".xlsx") returned 5 [0051.160] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.160] lstrlenW (lpString=".ppt") returned 4 [0051.160] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.160] lstrlenW (lpString=".zip") returned 4 [0051.160] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.160] lstrlenW (lpString=".rar") returned 4 [0051.160] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.160] lstrlenW (lpString=".bz2") returned 4 [0051.160] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.160] lstrlenW (lpString=".7z") returned 3 [0051.160] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.160] lstrlenW (lpString=".dbf") returned 4 [0051.160] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.160] lstrlenW (lpString=".1cd") returned 4 [0051.160] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.160] lstrlenW (lpString=".jpg") returned 4 [0051.160] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.160] lstrlenW (lpString=".doc") returned 4 [0051.160] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.160] lstrlenW (lpString=".docx") returned 5 [0051.160] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.160] lstrlenW (lpString=".pdf") returned 4 [0051.160] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.160] lstrlenW (lpString=".xls") returned 4 [0051.160] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.160] lstrlenW (lpString=".xlsx") returned 5 [0051.161] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.161] lstrlenW (lpString=".ppt") returned 4 [0051.161] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.161] lstrlenW (lpString=".zip") returned 4 [0051.161] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.161] lstrlenW (lpString=".rar") returned 4 [0051.161] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.161] lstrlenW (lpString=".bz2") returned 4 [0051.161] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.161] lstrlenW (lpString=".7z") returned 3 [0051.161] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.161] lstrlenW (lpString=".dbf") returned 4 [0051.161] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.161] lstrlenW (lpString=".1cd") returned 4 [0051.161] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0051.161] lstrlenW (lpString=".jpg") returned 4 [0051.161] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.161] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.161] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.589] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=11573) returned 1 [0051.589] CloseHandle (hObject=0x228) returned 1 [0051.589] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 0x20 [0051.589] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.596] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.596] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.597] GetLastError () returned 0x0 [0051.597] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x2d35, lpOverlapped=0x0) returned 1 [0051.599] WriteFile (in: hFile=0x228, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x2d40, lpOverlapped=0x0) returned 1 [0051.600] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.600] WriteFile (in: hFile=0x228, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.601] SetEndOfFile (hFile=0x228) returned 1 [0051.601] CloseHandle (hObject=0x228) returned 1 [0051.601] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.601] SetEndOfFile (hFile=0x204) returned 1 [0051.602] CloseHandle (hObject=0x204) returned 1 [0051.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.602] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 1 [0051.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.602] lstrlenW (lpString=".doc") returned 4 [0051.602] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.602] lstrlenW (lpString=".docx") returned 5 [0051.602] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.602] lstrlenW (lpString=".pdf") returned 4 [0051.603] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.603] lstrlenW (lpString=".xls") returned 4 [0051.603] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.603] lstrlenW (lpString=".xlsx") returned 5 [0051.603] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.603] lstrlenW (lpString=".ppt") returned 4 [0051.603] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.603] lstrlenW (lpString=".zip") returned 4 [0051.603] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.603] lstrlenW (lpString=".rar") returned 4 [0051.603] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.603] lstrlenW (lpString=".bz2") returned 4 [0051.603] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.603] lstrlenW (lpString=".7z") returned 3 [0051.603] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.603] lstrlenW (lpString=".dbf") returned 4 [0051.603] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.603] lstrlenW (lpString=".1cd") returned 4 [0051.603] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.603] lstrlenW (lpString=".jpg") returned 4 [0051.603] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.603] lstrlenW (lpString=".doc") returned 4 [0051.603] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.603] lstrlenW (lpString=".docx") returned 5 [0051.603] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.603] lstrlenW (lpString=".pdf") returned 4 [0051.603] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.603] lstrlenW (lpString=".xls") returned 4 [0051.603] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.603] lstrlenW (lpString=".xlsx") returned 5 [0051.604] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.604] lstrlenW (lpString=".ppt") returned 4 [0051.604] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.604] lstrlenW (lpString=".zip") returned 4 [0051.604] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.604] lstrlenW (lpString=".rar") returned 4 [0051.604] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.604] lstrlenW (lpString=".bz2") returned 4 [0051.604] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.604] lstrlenW (lpString=".7z") returned 3 [0051.604] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.604] lstrlenW (lpString=".dbf") returned 4 [0051.604] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.604] lstrlenW (lpString=".1cd") returned 4 [0051.604] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0051.604] lstrlenW (lpString=".jpg") returned 4 [0051.604] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.604] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.604] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.604] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.605] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=53115) returned 1 [0051.605] CloseHandle (hObject=0x204) returned 1 [0051.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 0x20 [0051.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.605] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.605] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.607] GetLastError () returned 0x0 [0051.607] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0xcf7b, lpOverlapped=0x0) returned 1 [0051.613] WriteFile (in: hFile=0x228, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xcf80, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xcf80, lpOverlapped=0x0) returned 1 [0051.615] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.615] WriteFile (in: hFile=0x228, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.616] SetEndOfFile (hFile=0x228) returned 1 [0051.616] CloseHandle (hObject=0x228) returned 1 [0051.616] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.616] SetEndOfFile (hFile=0x204) returned 1 [0051.618] CloseHandle (hObject=0x204) returned 1 [0051.618] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.618] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 1 [0051.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.618] lstrlenW (lpString=".doc") returned 4 [0051.618] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.618] lstrlenW (lpString=".docx") returned 5 [0051.618] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.618] lstrlenW (lpString=".pdf") returned 4 [0051.618] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.618] lstrlenW (lpString=".xls") returned 4 [0051.618] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.618] lstrlenW (lpString=".xlsx") returned 5 [0051.618] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.618] lstrlenW (lpString=".ppt") returned 4 [0051.618] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.618] lstrlenW (lpString=".zip") returned 4 [0051.619] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.619] lstrlenW (lpString=".rar") returned 4 [0051.619] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.619] lstrlenW (lpString=".bz2") returned 4 [0051.619] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.619] lstrlenW (lpString=".7z") returned 3 [0051.619] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.619] lstrlenW (lpString=".dbf") returned 4 [0051.619] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.619] lstrlenW (lpString=".1cd") returned 4 [0051.619] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.619] lstrlenW (lpString=".jpg") returned 4 [0051.619] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.619] lstrlenW (lpString=".doc") returned 4 [0051.619] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.619] lstrlenW (lpString=".docx") returned 5 [0051.619] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.619] lstrlenW (lpString=".pdf") returned 4 [0051.619] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.619] lstrlenW (lpString=".xls") returned 4 [0051.619] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.619] lstrlenW (lpString=".xlsx") returned 5 [0051.619] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.619] lstrlenW (lpString=".ppt") returned 4 [0051.619] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.619] lstrlenW (lpString=".zip") returned 4 [0051.619] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.619] lstrlenW (lpString=".rar") returned 4 [0051.619] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.620] lstrlenW (lpString=".bz2") returned 4 [0051.620] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.620] lstrlenW (lpString=".7z") returned 3 [0051.620] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.620] lstrlenW (lpString=".dbf") returned 4 [0051.620] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.620] lstrlenW (lpString=".1cd") returned 4 [0051.620] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0051.620] lstrlenW (lpString=".jpg") returned 4 [0051.620] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.620] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0051.620] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0051.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.621] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=2604) returned 1 [0051.621] CloseHandle (hObject=0x204) returned 1 [0051.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 0x20 [0051.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.621] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.621] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.624] GetLastError () returned 0x0 [0051.624] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0xa2c, lpOverlapped=0x0) returned 1 [0051.626] WriteFile (in: hFile=0x228, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xa30, lpOverlapped=0x0) returned 1 [0051.627] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.627] WriteFile (in: hFile=0x228, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.627] SetEndOfFile (hFile=0x228) returned 1 [0051.627] CloseHandle (hObject=0x228) returned 1 [0051.627] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.627] SetEndOfFile (hFile=0x204) returned 1 [0051.628] CloseHandle (hObject=0x204) returned 1 [0051.628] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.629] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 1 [0051.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.629] lstrlenW (lpString=".doc") returned 4 [0051.629] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.629] lstrlenW (lpString=".docx") returned 5 [0051.629] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.629] lstrlenW (lpString=".pdf") returned 4 [0051.629] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.629] lstrlenW (lpString=".xls") returned 4 [0051.629] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.629] lstrlenW (lpString=".xlsx") returned 5 [0051.629] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.629] lstrlenW (lpString=".ppt") returned 4 [0051.629] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.629] lstrlenW (lpString=".zip") returned 4 [0051.629] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.629] lstrlenW (lpString=".rar") returned 4 [0051.629] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.629] lstrlenW (lpString=".bz2") returned 4 [0051.629] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.629] lstrlenW (lpString=".7z") returned 3 [0051.630] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.630] lstrlenW (lpString=".dbf") returned 4 [0051.630] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.630] lstrlenW (lpString=".1cd") returned 4 [0051.630] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.630] lstrlenW (lpString=".jpg") returned 4 [0051.630] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.630] lstrlenW (lpString=".doc") returned 4 [0051.630] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.630] lstrlenW (lpString=".docx") returned 5 [0051.630] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.630] lstrlenW (lpString=".pdf") returned 4 [0051.630] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.630] lstrlenW (lpString=".xls") returned 4 [0051.630] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.630] lstrlenW (lpString=".xlsx") returned 5 [0051.630] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.630] lstrlenW (lpString=".ppt") returned 4 [0051.630] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.630] lstrlenW (lpString=".zip") returned 4 [0051.631] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.631] lstrlenW (lpString=".rar") returned 4 [0051.631] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.631] lstrlenW (lpString=".bz2") returned 4 [0051.631] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.631] lstrlenW (lpString=".7z") returned 3 [0051.631] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.631] lstrlenW (lpString=".dbf") returned 4 [0051.631] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.631] lstrlenW (lpString=".1cd") returned 4 [0051.631] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0051.631] lstrlenW (lpString=".jpg") returned 4 [0051.631] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.631] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.631] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.633] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=31975) returned 1 [0051.633] CloseHandle (hObject=0x204) returned 1 [0051.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 0x20 [0051.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.634] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.634] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.634] GetLastError () returned 0x0 [0051.634] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x7ce7, lpOverlapped=0x0) returned 1 [0051.926] WriteFile (in: hFile=0x228, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x7cf0, lpOverlapped=0x0) returned 1 [0051.928] ReadFile (in: hFile=0x204, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.928] WriteFile (in: hFile=0x228, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.932] SetEndOfFile (hFile=0x228) returned 1 [0051.933] CloseHandle (hObject=0x228) returned 1 [0051.933] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.933] SetEndOfFile (hFile=0x204) returned 1 [0051.934] CloseHandle (hObject=0x204) returned 1 [0051.934] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.934] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 1 [0051.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.935] lstrlenW (lpString=".doc") returned 4 [0051.935] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.935] lstrlenW (lpString=".docx") returned 5 [0051.935] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.935] lstrlenW (lpString=".pdf") returned 4 [0051.935] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.935] lstrlenW (lpString=".xls") returned 4 [0051.935] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.935] lstrlenW (lpString=".xlsx") returned 5 [0051.935] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.935] lstrlenW (lpString=".ppt") returned 4 [0051.935] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.935] lstrlenW (lpString=".zip") returned 4 [0051.935] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.935] lstrlenW (lpString=".rar") returned 4 [0051.935] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.935] lstrlenW (lpString=".bz2") returned 4 [0051.935] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.935] lstrlenW (lpString=".7z") returned 3 [0051.935] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.935] lstrlenW (lpString=".dbf") returned 4 [0051.935] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.935] lstrlenW (lpString=".1cd") returned 4 [0051.935] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.935] lstrlenW (lpString=".jpg") returned 4 [0051.935] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.936] lstrlenW (lpString=".doc") returned 4 [0051.936] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.936] lstrlenW (lpString=".docx") returned 5 [0051.936] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.936] lstrlenW (lpString=".pdf") returned 4 [0051.936] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.936] lstrlenW (lpString=".xls") returned 4 [0051.936] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.936] lstrlenW (lpString=".xlsx") returned 5 [0051.936] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.936] lstrlenW (lpString=".ppt") returned 4 [0051.936] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.936] lstrlenW (lpString=".zip") returned 4 [0051.936] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.936] lstrlenW (lpString=".rar") returned 4 [0051.936] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.936] lstrlenW (lpString=".bz2") returned 4 [0051.936] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.936] lstrlenW (lpString=".7z") returned 3 [0051.936] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.936] lstrlenW (lpString=".dbf") returned 4 [0051.936] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.936] lstrlenW (lpString=".1cd") returned 4 [0051.936] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0051.936] lstrlenW (lpString=".jpg") returned 4 [0051.936] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.937] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.937] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.248] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=29305) returned 1 [0053.248] CloseHandle (hObject=0x21c) returned 1 [0053.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 0x20 [0053.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.248] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.248] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0053.346] GetLastError () returned 0x0 [0053.346] ReadFile (in: hFile=0x21c, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x7279, lpOverlapped=0x0) returned 1 [0053.353] WriteFile (in: hFile=0x1dc, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x7280, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x7280, lpOverlapped=0x0) returned 1 [0053.354] ReadFile (in: hFile=0x21c, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.354] WriteFile (in: hFile=0x1dc, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.354] SetEndOfFile (hFile=0x1dc) returned 1 [0053.354] CloseHandle (hObject=0x1dc) returned 1 [0053.354] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.355] SetEndOfFile (hFile=0x21c) returned 1 [0053.355] CloseHandle (hObject=0x21c) returned 1 [0053.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0053.356] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 1 [0053.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.356] lstrlenW (lpString=".doc") returned 4 [0053.356] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0053.356] lstrlenW (lpString=".docx") returned 5 [0053.356] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0053.356] lstrlenW (lpString=".pdf") returned 4 [0053.356] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0053.356] lstrlenW (lpString=".xls") returned 4 [0053.356] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0053.356] lstrlenW (lpString=".xlsx") returned 5 [0053.356] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0053.356] lstrlenW (lpString=".ppt") returned 4 [0053.356] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0053.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.356] lstrlenW (lpString=".zip") returned 4 [0053.356] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0053.356] lstrlenW (lpString=".rar") returned 4 [0053.357] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0053.357] lstrlenW (lpString=".bz2") returned 4 [0053.357] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0053.357] lstrlenW (lpString=".7z") returned 3 [0053.357] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0053.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.357] lstrlenW (lpString=".dbf") returned 4 [0053.357] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0053.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.357] lstrlenW (lpString=".1cd") returned 4 [0053.357] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0053.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.357] lstrlenW (lpString=".jpg") returned 4 [0053.357] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0053.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.357] lstrlenW (lpString=".doc") returned 4 [0053.357] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0053.357] lstrlenW (lpString=".docx") returned 5 [0053.357] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0053.357] lstrlenW (lpString=".pdf") returned 4 [0053.357] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0053.357] lstrlenW (lpString=".xls") returned 4 [0053.357] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0053.357] lstrlenW (lpString=".xlsx") returned 5 [0053.357] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0053.357] lstrlenW (lpString=".ppt") returned 4 [0053.357] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0053.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.357] lstrlenW (lpString=".zip") returned 4 [0053.357] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0053.357] lstrlenW (lpString=".rar") returned 4 [0053.357] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0053.357] lstrlenW (lpString=".bz2") returned 4 [0053.358] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0053.358] lstrlenW (lpString=".7z") returned 3 [0053.358] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0053.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.358] lstrlenW (lpString=".dbf") returned 4 [0053.358] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0053.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.358] lstrlenW (lpString=".1cd") returned 4 [0053.358] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0053.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0053.358] lstrlenW (lpString=".jpg") returned 4 [0053.358] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0053.358] lstrcmpiW (lpString1=".MSG", lpString2=".NcOv") returned -1 [0053.358] lstrlenW (lpString="FPEXT.MSG") returned 9 [0053.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.359] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=169637) returned 1 [0053.359] CloseHandle (hObject=0x21c) returned 1 [0053.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 0x20 [0053.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.359] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.359] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.359] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.359] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0053.360] GetLastError () returned 0x0 [0053.360] ReadFile (in: hFile=0x21c, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x296a5, lpOverlapped=0x0) returned 1 [0053.371] WriteFile (in: hFile=0x1dc, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0x296b0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0x296b0, lpOverlapped=0x0) returned 1 [0053.376] ReadFile (in: hFile=0x21c, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.376] WriteFile (in: hFile=0x1dc, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.376] SetEndOfFile (hFile=0x1dc) returned 1 [0053.376] CloseHandle (hObject=0x1dc) returned 1 [0053.376] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.377] SetEndOfFile (hFile=0x21c) returned 1 [0053.378] CloseHandle (hObject=0x21c) returned 1 [0053.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0053.379] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 1 [0053.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.379] lstrlenW (lpString=".doc") returned 4 [0053.379] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0053.379] lstrlenW (lpString=".docx") returned 5 [0053.379] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0053.379] lstrlenW (lpString=".pdf") returned 4 [0053.379] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0053.379] lstrlenW (lpString=".xls") returned 4 [0053.379] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0053.379] lstrlenW (lpString=".xlsx") returned 5 [0053.379] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0053.379] lstrlenW (lpString=".ppt") returned 4 [0053.379] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0053.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.379] lstrlenW (lpString=".zip") returned 4 [0053.380] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0053.380] lstrlenW (lpString=".rar") returned 4 [0053.380] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0053.380] lstrlenW (lpString=".bz2") returned 4 [0053.380] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0053.380] lstrlenW (lpString=".7z") returned 3 [0053.380] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0053.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.380] lstrlenW (lpString=".dbf") returned 4 [0053.380] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0053.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.380] lstrlenW (lpString=".1cd") returned 4 [0053.380] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0053.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.380] lstrlenW (lpString=".jpg") returned 4 [0053.380] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0053.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.380] lstrlenW (lpString=".doc") returned 4 [0053.380] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0053.380] lstrlenW (lpString=".docx") returned 5 [0053.380] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0053.380] lstrlenW (lpString=".pdf") returned 4 [0053.380] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0053.380] lstrlenW (lpString=".xls") returned 4 [0053.380] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0053.380] lstrlenW (lpString=".xlsx") returned 5 [0053.380] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0053.380] lstrlenW (lpString=".ppt") returned 4 [0053.380] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0053.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.381] lstrlenW (lpString=".zip") returned 4 [0053.381] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0053.381] lstrlenW (lpString=".rar") returned 4 [0053.381] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0053.381] lstrlenW (lpString=".bz2") returned 4 [0053.381] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0053.381] lstrlenW (lpString=".7z") returned 3 [0053.381] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0053.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.381] lstrlenW (lpString=".dbf") returned 4 [0053.381] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0053.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.381] lstrlenW (lpString=".1cd") returned 4 [0053.381] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0053.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0053.381] lstrlenW (lpString=".jpg") returned 4 [0053.381] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0053.381] lstrcmpiW (lpString1=".inc", lpString2=".NcOv") returned -1 [0053.381] lstrlenW (lpString="adojavas.inc") returned 12 [0053.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.383] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=14610) returned 1 [0053.383] CloseHandle (hObject=0x21c) returned 1 [0053.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc")) returned 0x20 [0053.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.383] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.384] lstrlenW (lpString=".doc") returned 4 [0053.384] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.384] lstrlenW (lpString=".docx") returned 5 [0053.384] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.384] lstrlenW (lpString=".pdf") returned 4 [0053.384] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.384] lstrlenW (lpString=".xls") returned 4 [0053.384] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.384] lstrlenW (lpString=".xlsx") returned 5 [0053.384] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.384] lstrlenW (lpString=".ppt") returned 4 [0053.384] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.384] lstrlenW (lpString=".zip") returned 4 [0053.384] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.384] lstrlenW (lpString=".rar") returned 4 [0053.384] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.384] lstrlenW (lpString=".bz2") returned 4 [0053.384] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.384] lstrlenW (lpString=".7z") returned 3 [0053.384] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.384] lstrlenW (lpString=".dbf") returned 4 [0053.384] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.384] lstrlenW (lpString=".1cd") returned 4 [0053.384] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.384] lstrlenW (lpString=".jpg") returned 4 [0053.384] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.384] lstrlenW (lpString=".doc") returned 4 [0053.384] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.385] lstrlenW (lpString=".docx") returned 5 [0053.385] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.385] lstrlenW (lpString=".pdf") returned 4 [0053.385] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.385] lstrlenW (lpString=".xls") returned 4 [0053.385] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.385] lstrlenW (lpString=".xlsx") returned 5 [0053.385] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.385] lstrlenW (lpString=".ppt") returned 4 [0053.385] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.385] lstrlenW (lpString=".zip") returned 4 [0053.385] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.385] lstrlenW (lpString=".rar") returned 4 [0053.385] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.385] lstrlenW (lpString=".bz2") returned 4 [0053.385] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.385] lstrlenW (lpString=".7z") returned 3 [0053.385] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.385] lstrlenW (lpString=".dbf") returned 4 [0053.385] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.385] lstrlenW (lpString=".1cd") returned 4 [0053.385] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0053.385] lstrlenW (lpString=".jpg") returned 4 [0053.385] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.385] lstrcmpiW (lpString1=".inc", lpString2=".NcOv") returned -1 [0053.385] lstrlenW (lpString="adovbs.inc") returned 10 [0053.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.386] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=14951) returned 1 [0053.386] CloseHandle (hObject=0x21c) returned 1 [0053.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc")) returned 0x20 [0053.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.386] lstrlenW (lpString=".doc") returned 4 [0053.386] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.386] lstrlenW (lpString=".docx") returned 5 [0053.386] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.386] lstrlenW (lpString=".pdf") returned 4 [0053.386] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.386] lstrlenW (lpString=".xls") returned 4 [0053.386] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.386] lstrlenW (lpString=".xlsx") returned 5 [0053.386] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.386] lstrlenW (lpString=".ppt") returned 4 [0053.386] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.387] lstrlenW (lpString=".zip") returned 4 [0053.387] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.387] lstrlenW (lpString=".rar") returned 4 [0053.387] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.387] lstrlenW (lpString=".bz2") returned 4 [0053.387] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.387] lstrlenW (lpString=".7z") returned 3 [0053.387] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.387] lstrlenW (lpString=".dbf") returned 4 [0053.387] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.387] lstrlenW (lpString=".1cd") returned 4 [0053.387] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.387] lstrlenW (lpString=".jpg") returned 4 [0053.387] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.387] lstrlenW (lpString=".doc") returned 4 [0053.387] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.387] lstrlenW (lpString=".docx") returned 5 [0053.387] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.387] lstrlenW (lpString=".pdf") returned 4 [0053.387] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.387] lstrlenW (lpString=".xls") returned 4 [0053.387] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.387] lstrlenW (lpString=".xlsx") returned 5 [0053.387] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.387] lstrlenW (lpString=".ppt") returned 4 [0053.387] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.387] lstrlenW (lpString=".zip") returned 4 [0053.388] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.388] lstrlenW (lpString=".rar") returned 4 [0053.388] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.388] lstrlenW (lpString=".bz2") returned 4 [0053.388] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.388] lstrlenW (lpString=".7z") returned 3 [0053.388] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.388] lstrlenW (lpString=".dbf") returned 4 [0053.388] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.388] lstrlenW (lpString=".1cd") returned 4 [0053.388] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0053.388] lstrlenW (lpString=".jpg") returned 4 [0053.388] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.388] lstrcmpiW (lpString1=".inc", lpString2=".NcOv") returned -1 [0053.388] lstrlenW (lpString="adcjavas.inc") returned 12 [0053.388] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.744] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=630) returned 1 [0053.744] CloseHandle (hObject=0x1e8) returned 1 [0053.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc")) returned 0x20 [0053.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.745] lstrlenW (lpString=".doc") returned 4 [0053.745] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.745] lstrlenW (lpString=".docx") returned 5 [0053.745] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.745] lstrlenW (lpString=".pdf") returned 4 [0053.745] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.745] lstrlenW (lpString=".xls") returned 4 [0053.745] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.745] lstrlenW (lpString=".xlsx") returned 5 [0053.745] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.745] lstrlenW (lpString=".ppt") returned 4 [0053.745] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.745] lstrlenW (lpString=".zip") returned 4 [0053.745] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.745] lstrlenW (lpString=".rar") returned 4 [0053.745] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.745] lstrlenW (lpString=".bz2") returned 4 [0053.745] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.745] lstrlenW (lpString=".7z") returned 3 [0053.745] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.745] lstrlenW (lpString=".dbf") returned 4 [0053.745] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.745] lstrlenW (lpString=".1cd") returned 4 [0053.745] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.745] lstrlenW (lpString=".jpg") returned 4 [0053.746] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.746] lstrlenW (lpString=".doc") returned 4 [0053.746] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.746] lstrlenW (lpString=".docx") returned 5 [0053.746] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.746] lstrlenW (lpString=".pdf") returned 4 [0053.746] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.746] lstrlenW (lpString=".xls") returned 4 [0053.746] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.746] lstrlenW (lpString=".xlsx") returned 5 [0053.746] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.746] lstrlenW (lpString=".ppt") returned 4 [0053.746] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.746] lstrlenW (lpString=".zip") returned 4 [0053.746] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.746] lstrlenW (lpString=".rar") returned 4 [0053.746] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.746] lstrlenW (lpString=".bz2") returned 4 [0053.746] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.746] lstrlenW (lpString=".7z") returned 3 [0053.746] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.746] lstrlenW (lpString=".dbf") returned 4 [0053.746] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.747] lstrlenW (lpString=".1cd") returned 4 [0053.747] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0053.747] lstrlenW (lpString=".jpg") returned 4 [0053.747] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.747] lstrcmpiW (lpString1=".ini", lpString2=".NcOv") returned -1 [0053.747] lstrlenW (lpString="desktop.ini") returned 11 [0053.747] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.747] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=174) returned 1 [0053.747] CloseHandle (hObject=0x1e8) returned 1 [0053.747] GetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 0x26 [0053.748] GetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.748] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.748] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.748] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.748] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.748] GetLastError () returned 0x0 [0053.749] ReadFile (in: hFile=0x1e8, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0xae, lpOverlapped=0x0) returned 1 [0053.753] WriteFile (in: hFile=0x208, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xb0, lpOverlapped=0x0) returned 1 [0053.754] ReadFile (in: hFile=0x1e8, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesRead=0x2b6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.754] WriteFile (in: hFile=0x208, lpBuffer=0x3280020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3280020*, lpNumberOfBytesWritten=0x2b6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.754] SetEndOfFile (hFile=0x208) returned 1 [0053.754] CloseHandle (hObject=0x208) returned 1 [0053.755] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.755] SetEndOfFile (hFile=0x1e8) returned 1 [0053.756] CloseHandle (hObject=0x1e8) returned 1 [0053.756] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x26) returned 1 [0053.756] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0053.757] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.757] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.757] lstrlenW (lpString=".doc") returned 4 [0053.757] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0053.757] lstrlenW (lpString=".docx") returned 5 [0053.757] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0053.757] lstrlenW (lpString=".pdf") returned 4 [0053.757] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0053.757] lstrlenW (lpString=".xls") returned 4 [0053.757] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0053.757] lstrlenW (lpString=".xlsx") returned 5 [0053.757] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0053.757] lstrlenW (lpString=".ppt") returned 4 [0053.757] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0053.757] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.757] lstrlenW (lpString=".zip") returned 4 [0053.757] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0053.757] lstrlenW (lpString=".rar") returned 4 [0053.757] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0053.757] lstrlenW (lpString=".bz2") returned 4 [0053.757] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0053.757] lstrlenW (lpString=".7z") returned 3 [0053.757] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0053.757] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.757] lstrlenW (lpString=".dbf") returned 4 [0053.757] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0053.758] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.758] lstrlenW (lpString=".1cd") returned 4 [0053.758] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0053.758] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.758] lstrlenW (lpString=".jpg") returned 4 [0053.758] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0053.758] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.758] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.758] lstrlenW (lpString=".doc") returned 4 [0053.758] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0053.758] lstrlenW (lpString=".docx") returned 5 [0053.758] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0053.758] lstrlenW (lpString=".pdf") returned 4 [0053.758] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0053.758] lstrlenW (lpString=".xls") returned 4 [0053.758] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0053.758] lstrlenW (lpString=".xlsx") returned 5 [0053.758] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0053.758] lstrlenW (lpString=".ppt") returned 4 [0053.758] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0053.758] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.758] lstrlenW (lpString=".zip") returned 4 [0053.758] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0053.758] lstrlenW (lpString=".rar") returned 4 [0053.758] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0053.758] lstrlenW (lpString=".bz2") returned 4 [0053.758] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0053.758] lstrlenW (lpString=".7z") returned 3 [0053.759] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0053.759] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.759] lstrlenW (lpString=".dbf") returned 4 [0053.759] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0053.759] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.759] lstrlenW (lpString=".1cd") returned 4 [0053.759] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0053.759] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0053.759] lstrlenW (lpString=".jpg") returned 4 [0053.759] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0053.759] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.759] lstrlenW (lpString="DissolveAnother.png") returned 19 [0053.759] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.761] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=27935) returned 1 [0053.761] CloseHandle (hObject=0x208) returned 1 [0053.761] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png")) returned 0x20 [0053.761] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.761] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.761] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.761] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.761] lstrlenW (lpString=".doc") returned 4 [0053.761] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.761] lstrlenW (lpString=".docx") returned 5 [0053.761] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0053.761] lstrlenW (lpString=".pdf") returned 4 [0053.761] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.762] lstrlenW (lpString=".xls") returned 4 [0053.762] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.762] lstrlenW (lpString=".xlsx") returned 5 [0053.762] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0053.762] lstrlenW (lpString=".ppt") returned 4 [0053.762] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.762] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.762] lstrlenW (lpString=".zip") returned 4 [0053.762] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.762] lstrlenW (lpString=".rar") returned 4 [0053.762] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.762] lstrlenW (lpString=".bz2") returned 4 [0053.762] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.762] lstrlenW (lpString=".7z") returned 3 [0053.762] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.762] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.762] lstrlenW (lpString=".dbf") returned 4 [0053.762] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.762] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.762] lstrlenW (lpString=".1cd") returned 4 [0053.762] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.762] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.762] lstrlenW (lpString=".jpg") returned 4 [0053.762] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.762] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.762] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.762] lstrlenW (lpString=".doc") returned 4 [0053.763] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.763] lstrlenW (lpString=".docx") returned 5 [0053.763] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0053.763] lstrlenW (lpString=".pdf") returned 4 [0053.763] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.763] lstrlenW (lpString=".xls") returned 4 [0053.763] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.763] lstrlenW (lpString=".xlsx") returned 5 [0053.763] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0053.763] lstrlenW (lpString=".ppt") returned 4 [0053.763] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.763] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.763] lstrlenW (lpString=".zip") returned 4 [0053.763] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.763] lstrlenW (lpString=".rar") returned 4 [0053.763] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.763] lstrlenW (lpString=".bz2") returned 4 [0053.763] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.763] lstrlenW (lpString=".7z") returned 3 [0053.763] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.763] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.763] lstrlenW (lpString=".dbf") returned 4 [0053.763] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.763] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.763] lstrlenW (lpString=".1cd") returned 4 [0053.763] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.763] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0053.763] lstrlenW (lpString=".jpg") returned 4 [0053.763] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.764] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.764] lstrlenW (lpString="DissolveNoise.png") returned 17 [0053.764] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.764] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=751669) returned 1 [0053.764] CloseHandle (hObject=0x208) returned 1 [0053.765] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png")) returned 0x20 [0053.765] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.765] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.765] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.765] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.765] lstrlenW (lpString=".doc") returned 4 [0053.765] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.765] lstrlenW (lpString=".docx") returned 5 [0053.765] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0053.765] lstrlenW (lpString=".pdf") returned 4 [0053.765] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.765] lstrlenW (lpString=".xls") returned 4 [0053.765] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.765] lstrlenW (lpString=".xlsx") returned 5 [0053.765] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0053.765] lstrlenW (lpString=".ppt") returned 4 [0053.765] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.765] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.765] lstrlenW (lpString=".zip") returned 4 [0053.765] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.765] lstrlenW (lpString=".rar") returned 4 [0053.765] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.766] lstrlenW (lpString=".bz2") returned 4 [0053.766] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.766] lstrlenW (lpString=".7z") returned 3 [0053.766] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.766] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.766] lstrlenW (lpString=".dbf") returned 4 [0053.766] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.766] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.766] lstrlenW (lpString=".1cd") returned 4 [0053.766] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.766] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.766] lstrlenW (lpString=".jpg") returned 4 [0053.766] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.766] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.766] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.766] lstrlenW (lpString=".doc") returned 4 [0053.766] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.766] lstrlenW (lpString=".docx") returned 5 [0053.766] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0053.766] lstrlenW (lpString=".pdf") returned 4 [0053.766] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.766] lstrlenW (lpString=".xls") returned 4 [0053.766] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.766] lstrlenW (lpString=".xlsx") returned 5 [0053.766] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0053.766] lstrlenW (lpString=".ppt") returned 4 [0053.766] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.766] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.766] lstrlenW (lpString=".zip") returned 4 [0053.767] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.767] lstrlenW (lpString=".rar") returned 4 [0053.767] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.767] lstrlenW (lpString=".bz2") returned 4 [0053.767] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.767] lstrlenW (lpString=".7z") returned 3 [0053.767] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.767] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.767] lstrlenW (lpString=".dbf") returned 4 [0053.767] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.767] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.767] lstrlenW (lpString=".1cd") returned 4 [0053.767] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.767] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0053.767] lstrlenW (lpString=".jpg") returned 4 [0053.767] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.767] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.767] lstrlenW (lpString="16to9Squareframe_Buttongraphic.png") returned 34 [0053.767] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.769] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=10123) returned 1 [0053.769] CloseHandle (hObject=0x208) returned 1 [0053.769] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png")) returned 0x20 [0053.769] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.769] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.769] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.769] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.769] lstrlenW (lpString=".doc") returned 4 [0053.769] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.769] lstrlenW (lpString=".docx") returned 5 [0053.769] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0053.769] lstrlenW (lpString=".pdf") returned 4 [0053.769] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.769] lstrlenW (lpString=".xls") returned 4 [0053.769] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.769] lstrlenW (lpString=".xlsx") returned 5 [0053.769] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0053.769] lstrlenW (lpString=".ppt") returned 4 [0053.770] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.770] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.770] lstrlenW (lpString=".zip") returned 4 [0053.770] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.770] lstrlenW (lpString=".rar") returned 4 [0053.770] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.770] lstrlenW (lpString=".bz2") returned 4 [0053.770] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.770] lstrlenW (lpString=".7z") returned 3 [0053.770] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.770] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.770] lstrlenW (lpString=".dbf") returned 4 [0053.770] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.770] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.770] lstrlenW (lpString=".1cd") returned 4 [0053.770] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.770] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.770] lstrlenW (lpString=".jpg") returned 4 [0053.770] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.770] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.770] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.770] lstrlenW (lpString=".doc") returned 4 [0053.770] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.770] lstrlenW (lpString=".docx") returned 5 [0053.770] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0053.770] lstrlenW (lpString=".pdf") returned 4 [0053.770] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.770] lstrlenW (lpString=".xls") returned 4 [0053.771] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.771] lstrlenW (lpString=".xlsx") returned 5 [0053.771] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0053.771] lstrlenW (lpString=".ppt") returned 4 [0053.771] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.771] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.771] lstrlenW (lpString=".zip") returned 4 [0053.771] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.771] lstrlenW (lpString=".rar") returned 4 [0053.771] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.771] lstrlenW (lpString=".bz2") returned 4 [0053.771] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.771] lstrlenW (lpString=".7z") returned 3 [0053.771] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.771] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.771] lstrlenW (lpString=".dbf") returned 4 [0053.771] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.771] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.771] lstrlenW (lpString=".1cd") returned 4 [0053.771] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.771] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0053.771] lstrlenW (lpString=".jpg") returned 4 [0053.771] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.771] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.772] lstrlenW (lpString="16to9Squareframe_SelectionSubpicture.png") returned 40 [0053.772] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.772] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=3286) returned 1 [0053.772] CloseHandle (hObject=0x208) returned 1 [0053.772] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png")) returned 0x20 [0053.772] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.772] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.772] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.772] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.773] lstrlenW (lpString=".doc") returned 4 [0053.773] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.773] lstrlenW (lpString=".docx") returned 5 [0053.773] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0053.773] lstrlenW (lpString=".pdf") returned 4 [0053.773] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.773] lstrlenW (lpString=".xls") returned 4 [0053.773] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.773] lstrlenW (lpString=".xlsx") returned 5 [0053.773] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0053.773] lstrlenW (lpString=".ppt") returned 4 [0053.773] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.773] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.773] lstrlenW (lpString=".zip") returned 4 [0053.773] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.773] lstrlenW (lpString=".rar") returned 4 [0053.773] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.773] lstrlenW (lpString=".bz2") returned 4 [0053.773] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.773] lstrlenW (lpString=".7z") returned 3 [0053.773] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.773] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.773] lstrlenW (lpString=".dbf") returned 4 [0053.773] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.773] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.773] lstrlenW (lpString=".1cd") returned 4 [0053.773] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.773] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.773] lstrlenW (lpString=".jpg") returned 4 [0053.774] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.774] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.774] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.774] lstrlenW (lpString=".doc") returned 4 [0053.774] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.774] lstrlenW (lpString=".docx") returned 5 [0053.774] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0053.774] lstrlenW (lpString=".pdf") returned 4 [0053.774] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.774] lstrlenW (lpString=".xls") returned 4 [0053.774] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.774] lstrlenW (lpString=".xlsx") returned 5 [0053.774] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0053.774] lstrlenW (lpString=".ppt") returned 4 [0053.774] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.774] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.774] lstrlenW (lpString=".zip") returned 4 [0053.774] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.774] lstrlenW (lpString=".rar") returned 4 [0053.774] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.774] lstrlenW (lpString=".bz2") returned 4 [0053.774] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.774] lstrlenW (lpString=".7z") returned 3 [0053.774] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.774] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.774] lstrlenW (lpString=".dbf") returned 4 [0053.774] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.774] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.774] lstrlenW (lpString=".1cd") returned 4 [0053.775] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.775] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0053.775] lstrlenW (lpString=".jpg") returned 4 [0053.775] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.775] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.775] lstrlenW (lpString="16to9Squareframe_VideoInset.png") returned 31 [0053.775] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.777] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=3316) returned 1 [0053.777] CloseHandle (hObject=0x208) returned 1 [0053.777] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png")) returned 0x20 [0053.777] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.777] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.777] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.777] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.777] lstrlenW (lpString=".doc") returned 4 [0053.777] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.777] lstrlenW (lpString=".docx") returned 5 [0053.777] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0053.777] lstrlenW (lpString=".pdf") returned 4 [0053.777] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.777] lstrlenW (lpString=".xls") returned 4 [0053.777] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.777] lstrlenW (lpString=".xlsx") returned 5 [0053.777] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0053.777] lstrlenW (lpString=".ppt") returned 4 [0053.777] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.777] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.777] lstrlenW (lpString=".zip") returned 4 [0053.778] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.778] lstrlenW (lpString=".rar") returned 4 [0053.778] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.778] lstrlenW (lpString=".bz2") returned 4 [0053.778] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.778] lstrlenW (lpString=".7z") returned 3 [0053.778] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.778] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.778] lstrlenW (lpString=".dbf") returned 4 [0053.778] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.778] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.778] lstrlenW (lpString=".1cd") returned 4 [0053.778] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.778] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.778] lstrlenW (lpString=".jpg") returned 4 [0053.778] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.778] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.778] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.778] lstrlenW (lpString=".doc") returned 4 [0053.778] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.778] lstrlenW (lpString=".docx") returned 5 [0053.778] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0053.778] lstrlenW (lpString=".pdf") returned 4 [0053.778] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.778] lstrlenW (lpString=".xls") returned 4 [0053.778] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.778] lstrlenW (lpString=".xlsx") returned 5 [0053.779] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0053.779] lstrlenW (lpString=".ppt") returned 4 [0053.779] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.779] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.779] lstrlenW (lpString=".zip") returned 4 [0053.779] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.779] lstrlenW (lpString=".rar") returned 4 [0053.779] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.779] lstrlenW (lpString=".bz2") returned 4 [0053.779] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.779] lstrlenW (lpString=".7z") returned 3 [0053.779] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.779] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.779] lstrlenW (lpString=".dbf") returned 4 [0053.779] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.779] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.779] lstrlenW (lpString=".1cd") returned 4 [0053.779] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.779] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0053.779] lstrlenW (lpString=".jpg") returned 4 [0053.779] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.779] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.779] lstrlenW (lpString="4to3Squareframe_Buttongraphic.png") returned 33 [0053.779] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.862] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=11861) returned 1 [0054.862] CloseHandle (hObject=0x1e8) returned 1 [0054.862] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png")) returned 0x20 [0054.862] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.862] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.862] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.862] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.862] lstrlenW (lpString=".doc") returned 4 [0054.862] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0054.862] lstrlenW (lpString=".docx") returned 5 [0054.862] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0054.862] lstrlenW (lpString=".pdf") returned 4 [0054.862] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0054.862] lstrlenW (lpString=".xls") returned 4 [0054.863] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0054.863] lstrlenW (lpString=".xlsx") returned 5 [0054.863] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0054.863] lstrlenW (lpString=".ppt") returned 4 [0054.863] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0054.863] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.863] lstrlenW (lpString=".zip") returned 4 [0054.863] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0054.863] lstrlenW (lpString=".rar") returned 4 [0054.863] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0054.863] lstrlenW (lpString=".bz2") returned 4 [0054.863] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0054.863] lstrlenW (lpString=".7z") returned 3 [0054.863] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0054.863] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.863] lstrlenW (lpString=".dbf") returned 4 [0054.863] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0054.863] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.863] lstrlenW (lpString=".1cd") returned 4 [0054.863] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0054.863] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.863] lstrlenW (lpString=".jpg") returned 4 [0054.863] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0054.863] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.863] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.863] lstrlenW (lpString=".doc") returned 4 [0054.863] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0054.863] lstrlenW (lpString=".docx") returned 5 [0054.864] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0054.864] lstrlenW (lpString=".pdf") returned 4 [0054.864] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0054.864] lstrlenW (lpString=".xls") returned 4 [0054.864] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0054.864] lstrlenW (lpString=".xlsx") returned 5 [0054.864] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0054.864] lstrlenW (lpString=".ppt") returned 4 [0054.864] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0054.864] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.864] lstrlenW (lpString=".zip") returned 4 [0054.864] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0054.864] lstrlenW (lpString=".rar") returned 4 [0054.864] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0054.864] lstrlenW (lpString=".bz2") returned 4 [0054.864] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0054.864] lstrlenW (lpString=".7z") returned 3 [0054.864] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0054.864] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.864] lstrlenW (lpString=".dbf") returned 4 [0054.864] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0054.864] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.864] lstrlenW (lpString=".1cd") returned 4 [0054.864] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0054.864] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0054.864] lstrlenW (lpString=".jpg") returned 4 [0054.864] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0054.956] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0054.956] lstrlenW (lpString="flower_PreComp_MATTE_PAL.wmv") returned 28 [0054.956] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.102] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=85208) returned 1 [0055.102] CloseHandle (hObject=0x1f8) returned 1 [0055.102] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv")) returned 0x20 [0055.102] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.102] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.102] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.102] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.102] lstrlenW (lpString=".doc") returned 4 [0055.102] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0055.102] lstrlenW (lpString=".docx") returned 5 [0055.102] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0055.102] lstrlenW (lpString=".pdf") returned 4 [0055.103] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0055.103] lstrlenW (lpString=".xls") returned 4 [0055.103] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0055.103] lstrlenW (lpString=".xlsx") returned 5 [0055.103] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0055.103] lstrlenW (lpString=".ppt") returned 4 [0055.103] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0055.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.103] lstrlenW (lpString=".zip") returned 4 [0055.103] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0055.103] lstrlenW (lpString=".rar") returned 4 [0055.103] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0055.103] lstrlenW (lpString=".bz2") returned 4 [0055.103] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0055.103] lstrlenW (lpString=".7z") returned 3 [0055.103] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0055.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.103] lstrlenW (lpString=".dbf") returned 4 [0055.103] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0055.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.103] lstrlenW (lpString=".1cd") returned 4 [0055.103] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0055.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.103] lstrlenW (lpString=".jpg") returned 4 [0055.103] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0055.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.103] lstrlenW (lpString=".doc") returned 4 [0055.103] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0055.103] lstrlenW (lpString=".docx") returned 5 [0055.103] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0055.103] lstrlenW (lpString=".pdf") returned 4 [0055.104] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0055.104] lstrlenW (lpString=".xls") returned 4 [0055.104] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0055.104] lstrlenW (lpString=".xlsx") returned 5 [0055.104] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0055.104] lstrlenW (lpString=".ppt") returned 4 [0055.104] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0055.104] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.104] lstrlenW (lpString=".zip") returned 4 [0055.104] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0055.104] lstrlenW (lpString=".rar") returned 4 [0055.104] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0055.104] lstrlenW (lpString=".bz2") returned 4 [0055.104] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0055.104] lstrlenW (lpString=".7z") returned 3 [0055.104] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0055.104] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.104] lstrlenW (lpString=".dbf") returned 4 [0055.104] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0055.104] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.104] lstrlenW (lpString=".1cd") returned 4 [0055.104] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0055.104] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 81 [0055.104] lstrlenW (lpString=".jpg") returned 4 [0055.104] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0055.104] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0055.104] lstrlenW (lpString="scrapbook.png") returned 13 [0055.104] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.704] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=20346) returned 1 [0055.704] CloseHandle (hObject=0x1f8) returned 1 [0055.704] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png")) returned 0x20 [0055.705] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.705] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.705] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.705] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.705] lstrlenW (lpString=".doc") returned 4 [0055.705] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.705] lstrlenW (lpString=".docx") returned 5 [0055.705] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0055.705] lstrlenW (lpString=".pdf") returned 4 [0055.705] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.705] lstrlenW (lpString=".xls") returned 4 [0055.705] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.705] lstrlenW (lpString=".xlsx") returned 5 [0055.705] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0055.705] lstrlenW (lpString=".ppt") returned 4 [0055.705] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.705] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.705] lstrlenW (lpString=".zip") returned 4 [0055.705] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.705] lstrlenW (lpString=".rar") returned 4 [0055.705] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.705] lstrlenW (lpString=".bz2") returned 4 [0055.705] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.705] lstrlenW (lpString=".7z") returned 3 [0055.705] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.705] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.705] lstrlenW (lpString=".dbf") returned 4 [0055.706] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.706] lstrlenW (lpString=".1cd") returned 4 [0055.706] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.706] lstrlenW (lpString=".jpg") returned 4 [0055.706] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.706] lstrlenW (lpString=".doc") returned 4 [0055.706] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.706] lstrlenW (lpString=".docx") returned 5 [0055.706] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0055.706] lstrlenW (lpString=".pdf") returned 4 [0055.706] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.706] lstrlenW (lpString=".xls") returned 4 [0055.706] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.706] lstrlenW (lpString=".xlsx") returned 5 [0055.706] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0055.706] lstrlenW (lpString=".ppt") returned 4 [0055.706] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.706] lstrlenW (lpString=".zip") returned 4 [0055.706] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.706] lstrlenW (lpString=".rar") returned 4 [0055.706] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.706] lstrlenW (lpString=".bz2") returned 4 [0055.706] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.706] lstrlenW (lpString=".7z") returned 3 [0055.706] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.706] lstrlenW (lpString=".dbf") returned 4 [0055.706] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.707] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.707] lstrlenW (lpString=".1cd") returned 4 [0055.707] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.707] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0055.707] lstrlenW (lpString=".jpg") returned 4 [0055.707] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.707] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0055.707] lstrlenW (lpString="menu_style_default_Thumbnail.png") returned 32 [0055.707] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.709] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=4842) returned 1 [0055.709] CloseHandle (hObject=0x1f8) returned 1 [0055.709] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png")) returned 0x20 [0055.709] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.709] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.709] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.709] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.709] lstrlenW (lpString=".doc") returned 4 [0055.709] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.709] lstrlenW (lpString=".docx") returned 5 [0055.709] lstrcmpiW (lpString1=".docx", lpString2="l.png") returned -1 [0055.709] lstrlenW (lpString=".pdf") returned 4 [0055.709] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.709] lstrlenW (lpString=".xls") returned 4 [0055.709] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.709] lstrlenW (lpString=".xlsx") returned 5 [0055.709] lstrcmpiW (lpString1=".xlsx", lpString2="l.png") returned -1 [0055.709] lstrlenW (lpString=".ppt") returned 4 [0055.709] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.709] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.709] lstrlenW (lpString=".zip") returned 4 [0055.710] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.710] lstrlenW (lpString=".rar") returned 4 [0055.710] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.710] lstrlenW (lpString=".bz2") returned 4 [0055.710] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.710] lstrlenW (lpString=".7z") returned 3 [0055.710] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.710] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.710] lstrlenW (lpString=".dbf") returned 4 [0055.710] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.710] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.710] lstrlenW (lpString=".1cd") returned 4 [0055.710] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.710] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.710] lstrlenW (lpString=".jpg") returned 4 [0055.710] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.710] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.710] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.710] lstrlenW (lpString=".doc") returned 4 [0055.710] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.710] lstrlenW (lpString=".docx") returned 5 [0055.710] lstrcmpiW (lpString1=".docx", lpString2="l.png") returned -1 [0055.710] lstrlenW (lpString=".pdf") returned 4 [0055.710] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.710] lstrlenW (lpString=".xls") returned 4 [0055.710] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.710] lstrlenW (lpString=".xlsx") returned 5 [0055.710] lstrcmpiW (lpString1=".xlsx", lpString2="l.png") returned -1 [0055.710] lstrlenW (lpString=".ppt") returned 4 [0055.710] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.710] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.710] lstrlenW (lpString=".zip") returned 4 [0055.710] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.710] lstrlenW (lpString=".rar") returned 4 [0055.710] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.711] lstrlenW (lpString=".bz2") returned 4 [0055.711] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.711] lstrlenW (lpString=".7z") returned 3 [0055.711] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.711] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.711] lstrlenW (lpString=".dbf") returned 4 [0055.711] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.711] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.711] lstrlenW (lpString=".1cd") returned 4 [0055.711] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.711] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 76 [0055.711] lstrlenW (lpString=".jpg") returned 4 [0055.711] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.711] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0055.711] lstrlenW (lpString="NavigationLeft_ButtonGraphic.png") returned 32 [0055.711] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.712] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=5088) returned 1 [0055.712] CloseHandle (hObject=0x1f8) returned 1 [0055.712] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png")) returned 0x20 [0055.712] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.712] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.712] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.712] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.712] lstrlenW (lpString=".doc") returned 4 [0055.712] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.712] lstrlenW (lpString=".docx") returned 5 [0055.712] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0055.712] lstrlenW (lpString=".pdf") returned 4 [0055.712] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.712] lstrlenW (lpString=".xls") returned 4 [0055.713] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.713] lstrlenW (lpString=".xlsx") returned 5 [0055.713] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0055.713] lstrlenW (lpString=".ppt") returned 4 [0055.713] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.713] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.713] lstrlenW (lpString=".zip") returned 4 [0055.713] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.713] lstrlenW (lpString=".rar") returned 4 [0055.713] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.713] lstrlenW (lpString=".bz2") returned 4 [0055.713] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.713] lstrlenW (lpString=".7z") returned 3 [0055.713] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.713] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.713] lstrlenW (lpString=".dbf") returned 4 [0055.713] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.713] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.713] lstrlenW (lpString=".1cd") returned 4 [0055.714] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.714] lstrlenW (lpString=".jpg") returned 4 [0055.714] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.714] lstrlenW (lpString=".doc") returned 4 [0055.714] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.714] lstrlenW (lpString=".docx") returned 5 [0055.735] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0055.735] lstrlenW (lpString=".pdf") returned 4 [0055.735] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.736] lstrlenW (lpString=".xls") returned 4 [0055.736] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.736] lstrlenW (lpString=".xlsx") returned 5 [0055.736] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0055.736] lstrlenW (lpString=".ppt") returned 4 [0055.736] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.736] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.736] lstrlenW (lpString=".zip") returned 4 [0055.736] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.736] lstrlenW (lpString=".rar") returned 4 [0055.736] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.736] lstrlenW (lpString=".bz2") returned 4 [0055.736] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.736] lstrlenW (lpString=".7z") returned 3 [0055.736] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.736] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.736] lstrlenW (lpString=".dbf") returned 4 [0055.736] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.736] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.736] lstrlenW (lpString=".1cd") returned 4 [0055.736] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.736] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 76 [0055.736] lstrlenW (lpString=".jpg") returned 4 [0055.736] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.736] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0055.736] lstrlenW (lpString="NavigationLeft_SelectionSubpicture.png") returned 38 [0055.736] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.737] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=3130) returned 1 [0055.737] CloseHandle (hObject=0x1f8) returned 1 [0055.737] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png")) returned 0x20 [0055.737] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.737] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.737] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.737] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.737] lstrlenW (lpString=".doc") returned 4 [0055.737] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.737] lstrlenW (lpString=".docx") returned 5 [0055.737] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0055.737] lstrlenW (lpString=".pdf") returned 4 [0055.737] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.737] lstrlenW (lpString=".xls") returned 4 [0055.737] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.737] lstrlenW (lpString=".xlsx") returned 5 [0055.738] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0055.738] lstrlenW (lpString=".ppt") returned 4 [0055.738] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.738] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.738] lstrlenW (lpString=".zip") returned 4 [0055.738] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.738] lstrlenW (lpString=".rar") returned 4 [0055.738] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.738] lstrlenW (lpString=".bz2") returned 4 [0055.738] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.738] lstrlenW (lpString=".7z") returned 3 [0055.738] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.738] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.738] lstrlenW (lpString=".dbf") returned 4 [0055.738] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.738] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.738] lstrlenW (lpString=".1cd") returned 4 [0055.738] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.738] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.738] lstrlenW (lpString=".jpg") returned 4 [0055.738] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.738] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.738] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.738] lstrlenW (lpString=".doc") returned 4 [0055.738] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.738] lstrlenW (lpString=".docx") returned 5 [0055.738] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0055.738] lstrlenW (lpString=".pdf") returned 4 [0055.738] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.738] lstrlenW (lpString=".xls") returned 4 [0055.738] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.738] lstrlenW (lpString=".xlsx") returned 5 [0055.738] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0055.738] lstrlenW (lpString=".ppt") returned 4 [0055.738] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.738] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.739] lstrlenW (lpString=".zip") returned 4 [0055.739] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.739] lstrlenW (lpString=".rar") returned 4 [0055.739] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.739] lstrlenW (lpString=".bz2") returned 4 [0055.739] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.739] lstrlenW (lpString=".7z") returned 3 [0055.739] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.739] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.739] lstrlenW (lpString=".dbf") returned 4 [0055.739] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.739] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.739] lstrlenW (lpString=".1cd") returned 4 [0055.739] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.739] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 82 [0055.739] lstrlenW (lpString=".jpg") returned 4 [0055.739] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.739] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0055.739] lstrlenW (lpString="NavigationRight_ButtonGraphic.png") returned 33 [0055.739] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.740] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=5025) returned 1 [0055.740] CloseHandle (hObject=0x1f8) returned 1 [0055.740] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png")) returned 0x20 [0055.740] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.740] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.740] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned 77 [0055.740] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned 77 [0055.740] lstrlenW (lpString=".doc") returned 4 [0055.740] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.740] lstrlenW (lpString=".docx") returned 5 [0055.740] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0055.740] lstrlenW (lpString=".pdf") returned 4 [0055.740] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.740] lstrlenW (lpString=".xls") returned 4 [0055.740] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.740] lstrlenW (lpString=".xlsx") returned 5 [0055.740] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0055.740] lstrlenW (lpString=".ppt") returned 4 [0055.740] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.740] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned 77 [0055.740] lstrlenW (lpString=".zip") returned 4 [0055.741] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.741] lstrlenW (lpString=".rar") returned 4 [0055.741] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.741] lstrlenW (lpString=".bz2") returned 4 [0055.741] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.741] lstrlenW (lpString=".7z") returned 3 [0055.741] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.741] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned 77 [0055.741] lstrlenW (lpString=".dbf") returned 4 [0055.741] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.760] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0055.761] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0063.095] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0063.095] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0063.096] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0063.096] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0063.096] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0063.096] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0063.096] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0063.096] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0063.096] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0063.096] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0063.096] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0063.096] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0063.096] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0063.096] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0063.096] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0063.096] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0063.096] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0063.097] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0063.097] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0063.097] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0063.097] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0063.097] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0063.097] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0063.097] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0063.097] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0063.097] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0063.097] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0063.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0063.790] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2b6ff1c | out: lpFileSize=0x2b6ff1c*=5315) returned 1 [0063.790] CloseHandle (hObject=0x224) returned 1 [0063.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 0x20 [0063.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0063.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0063.791] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0063.791] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b6fec8 | out: lpNewFilePointer=0x0) returned 1 [0063.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0063.791] GetLastError () returned 0x0 [0063.791] ReadFile (hFile=0x224, lpBuffer=0x3280020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b6fed4, lpOverlapped=0x0) Thread: id = 11 os_tid = 0x5bc [0036.653] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x5c4090 [0036.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x5d4098 [0036.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a748 [0036.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x55acd8 [0036.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a790 [0036.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x34d0020 [0036.655] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a7a8 [0036.655] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a7a8, Size=0x20) returned 0x5a34c0 [0036.655] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a7a8 [0036.655] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a7a8, Size=0x20) returned 0x5a34e8 [0036.655] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0036.655] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0036.655] Wow64DisableWow64FsRedirection (in: OldValue=0x2c6ff58 | out: OldValue=0x2c6ff58*=0x0) returned 1 [0036.655] lstrlenW (lpString="kernel32.dll") returned 12 [0036.655] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34c0 | out: hHeap=0x500000) returned 1 [0036.655] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0036.655] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34e8 | out: hHeap=0x500000) returned 1 [0036.655] Sleep (dwMilliseconds=0x64) [0036.781] Sleep (dwMilliseconds=0x64) [0037.011] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.011] lstrlenW (lpString="Setup.xml") returned 9 [0037.011] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0037.043] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2296) returned 1 [0037.043] CloseHandle (hObject=0x178) returned 1 [0037.043] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.043] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.043] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0037.043] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.043] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.043] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0037.044] GetLastError () returned 0x0 [0037.044] ReadFile (in: hFile=0x178, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0037.074] WriteFile (in: hFile=0x17c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x900, lpOverlapped=0x0) returned 1 [0037.075] ReadFile (in: hFile=0x178, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.075] WriteFile (in: hFile=0x17c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.075] SetEndOfFile (hFile=0x17c) returned 1 [0037.075] CloseHandle (hObject=0x17c) returned 1 [0037.075] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.076] SetEndOfFile (hFile=0x178) returned 1 [0037.077] CloseHandle (hObject=0x178) returned 1 [0037.077] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.077] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.077] lstrlenW (lpString=".doc") returned 4 [0037.077] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.077] lstrlenW (lpString=".docx") returned 5 [0037.077] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.077] lstrlenW (lpString=".pdf") returned 4 [0037.077] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.077] lstrlenW (lpString=".xls") returned 4 [0037.077] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.077] lstrlenW (lpString=".xlsx") returned 5 [0037.077] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.077] lstrlenW (lpString=".ppt") returned 4 [0037.077] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.077] lstrlenW (lpString=".zip") returned 4 [0037.078] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.078] lstrlenW (lpString=".rar") returned 4 [0037.078] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString=".bz2") returned 4 [0037.078] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString=".7z") returned 3 [0037.078] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.078] lstrlenW (lpString=".dbf") returned 4 [0037.078] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.078] lstrlenW (lpString=".1cd") returned 4 [0037.078] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.078] lstrlenW (lpString=".jpg") returned 4 [0037.078] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.078] lstrlenW (lpString=".doc") returned 4 [0037.078] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString=".docx") returned 5 [0037.078] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.078] lstrlenW (lpString=".pdf") returned 4 [0037.078] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString=".xls") returned 4 [0037.078] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString=".xlsx") returned 5 [0037.078] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.078] lstrlenW (lpString=".ppt") returned 4 [0037.078] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.078] lstrlenW (lpString=".zip") returned 4 [0037.078] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.078] lstrlenW (lpString=".rar") returned 4 [0037.078] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.078] lstrlenW (lpString=".bz2") returned 4 [0037.078] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.079] lstrlenW (lpString=".7z") returned 3 [0037.079] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.079] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.079] lstrlenW (lpString=".dbf") returned 4 [0037.079] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.079] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.079] lstrlenW (lpString=".1cd") returned 4 [0037.079] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.079] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.079] lstrlenW (lpString=".jpg") returned 4 [0037.079] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.079] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.079] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0037.079] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.097] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1450) returned 1 [0037.097] CloseHandle (hObject=0x164) returned 1 [0037.097] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0037.097] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.097] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.097] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.097] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.097] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0037.098] GetLastError () returned 0x0 [0037.098] ReadFile (in: hFile=0x164, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0037.100] WriteFile (in: hFile=0x16c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0037.101] ReadFile (in: hFile=0x164, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.101] WriteFile (in: hFile=0x16c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0037.101] SetEndOfFile (hFile=0x16c) returned 1 [0037.101] CloseHandle (hObject=0x16c) returned 1 [0037.102] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.102] SetEndOfFile (hFile=0x164) returned 1 [0037.103] CloseHandle (hObject=0x164) returned 1 [0037.103] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.103] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0037.103] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.103] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.103] lstrlenW (lpString=".doc") returned 4 [0037.103] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.103] lstrlenW (lpString=".docx") returned 5 [0037.103] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.104] lstrlenW (lpString=".pdf") returned 4 [0037.104] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString=".xls") returned 4 [0037.104] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString=".xlsx") returned 5 [0037.104] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.104] lstrlenW (lpString=".ppt") returned 4 [0037.104] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.104] lstrlenW (lpString=".zip") returned 4 [0037.104] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.104] lstrlenW (lpString=".rar") returned 4 [0037.104] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString=".bz2") returned 4 [0037.104] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString=".7z") returned 3 [0037.104] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.104] lstrlenW (lpString=".dbf") returned 4 [0037.104] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.104] lstrlenW (lpString=".1cd") returned 4 [0037.104] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.104] lstrlenW (lpString=".jpg") returned 4 [0037.104] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.104] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.104] lstrlenW (lpString=".doc") returned 4 [0037.104] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString=".docx") returned 5 [0037.104] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.104] lstrlenW (lpString=".pdf") returned 4 [0037.104] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString=".xls") returned 4 [0037.104] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.104] lstrlenW (lpString=".xlsx") returned 5 [0037.105] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.105] lstrlenW (lpString=".ppt") returned 4 [0037.105] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.105] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.105] lstrlenW (lpString=".zip") returned 4 [0037.105] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.105] lstrlenW (lpString=".rar") returned 4 [0037.105] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.105] lstrlenW (lpString=".bz2") returned 4 [0037.105] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.105] lstrlenW (lpString=".7z") returned 3 [0037.105] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.105] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.105] lstrlenW (lpString=".dbf") returned 4 [0037.105] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.105] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.105] lstrlenW (lpString=".1cd") returned 4 [0037.105] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.105] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0037.105] lstrlenW (lpString=".jpg") returned 4 [0037.105] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.105] Sleep (dwMilliseconds=0x64) [0037.213] Sleep (dwMilliseconds=0x64) [0037.338] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.338] lstrlenW (lpString="Setup.xml") returned 9 [0037.338] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.338] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=4207) returned 1 [0037.338] CloseHandle (hObject=0x164) returned 1 [0037.338] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.338] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.338] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.338] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.338] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.339] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0037.339] GetLastError () returned 0x0 [0037.339] ReadFile (in: hFile=0x164, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x106f, lpOverlapped=0x0) returned 1 [0037.679] WriteFile (in: hFile=0x16c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0037.680] ReadFile (in: hFile=0x164, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.680] WriteFile (in: hFile=0x16c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.680] SetEndOfFile (hFile=0x16c) returned 1 [0037.680] CloseHandle (hObject=0x16c) returned 1 [0037.681] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.681] SetEndOfFile (hFile=0x164) returned 1 [0037.682] CloseHandle (hObject=0x164) returned 1 [0037.682] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.682] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.683] lstrlenW (lpString=".doc") returned 4 [0037.683] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString=".docx") returned 5 [0037.683] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.683] lstrlenW (lpString=".pdf") returned 4 [0037.683] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString=".xls") returned 4 [0037.683] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString=".xlsx") returned 5 [0037.683] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.683] lstrlenW (lpString=".ppt") returned 4 [0037.683] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.683] lstrlenW (lpString=".zip") returned 4 [0037.683] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.683] lstrlenW (lpString=".rar") returned 4 [0037.683] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString=".bz2") returned 4 [0037.683] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString=".7z") returned 3 [0037.683] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.683] lstrlenW (lpString=".dbf") returned 4 [0037.683] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.683] lstrlenW (lpString=".1cd") returned 4 [0037.683] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.683] lstrlenW (lpString=".jpg") returned 4 [0037.683] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.684] lstrlenW (lpString=".doc") returned 4 [0037.684] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.684] lstrlenW (lpString=".docx") returned 5 [0037.684] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.684] lstrlenW (lpString=".pdf") returned 4 [0037.684] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.684] lstrlenW (lpString=".xls") returned 4 [0037.684] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.684] lstrlenW (lpString=".xlsx") returned 5 [0037.684] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.684] lstrlenW (lpString=".ppt") returned 4 [0037.684] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.684] lstrlenW (lpString=".zip") returned 4 [0037.684] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.684] lstrlenW (lpString=".rar") returned 4 [0037.684] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.684] lstrlenW (lpString=".bz2") returned 4 [0037.684] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.684] lstrlenW (lpString=".7z") returned 3 [0037.684] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.684] lstrlenW (lpString=".dbf") returned 4 [0037.684] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.684] lstrlenW (lpString=".1cd") returned 4 [0037.684] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.684] lstrlenW (lpString=".jpg") returned 4 [0037.684] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.684] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.684] lstrlenW (lpString="Setup.xml") returned 9 [0037.685] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.685] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2424) returned 1 [0037.685] CloseHandle (hObject=0x164) returned 1 [0037.685] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.685] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.685] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.685] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.685] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.685] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0037.687] GetLastError () returned 0x0 [0037.687] ReadFile (in: hFile=0x164, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x978, lpOverlapped=0x0) returned 1 [0037.690] WriteFile (in: hFile=0x16c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x980, lpOverlapped=0x0) returned 1 [0037.691] ReadFile (in: hFile=0x164, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.692] WriteFile (in: hFile=0x16c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.692] SetEndOfFile (hFile=0x16c) returned 1 [0037.692] CloseHandle (hObject=0x16c) returned 1 [0037.692] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.692] SetEndOfFile (hFile=0x164) returned 1 [0037.693] CloseHandle (hObject=0x164) returned 1 [0037.693] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.694] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.694] lstrlenW (lpString=".doc") returned 4 [0037.694] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.694] lstrlenW (lpString=".docx") returned 5 [0037.694] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.694] lstrlenW (lpString=".pdf") returned 4 [0037.694] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.694] lstrlenW (lpString=".xls") returned 4 [0037.694] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.694] lstrlenW (lpString=".xlsx") returned 5 [0037.694] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.694] lstrlenW (lpString=".ppt") returned 4 [0037.694] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.694] lstrlenW (lpString=".zip") returned 4 [0037.694] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.694] lstrlenW (lpString=".rar") returned 4 [0037.694] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.694] lstrlenW (lpString=".bz2") returned 4 [0037.694] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.694] lstrlenW (lpString=".7z") returned 3 [0037.694] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.694] lstrlenW (lpString=".dbf") returned 4 [0037.694] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.695] lstrlenW (lpString=".1cd") returned 4 [0037.695] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.695] lstrlenW (lpString=".jpg") returned 4 [0037.695] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.695] lstrlenW (lpString=".doc") returned 4 [0037.695] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString=".docx") returned 5 [0037.695] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.695] lstrlenW (lpString=".pdf") returned 4 [0037.695] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString=".xls") returned 4 [0037.695] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString=".xlsx") returned 5 [0037.695] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.695] lstrlenW (lpString=".ppt") returned 4 [0037.695] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.695] lstrlenW (lpString=".zip") returned 4 [0037.695] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.695] lstrlenW (lpString=".rar") returned 4 [0037.695] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString=".bz2") returned 4 [0037.695] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString=".7z") returned 3 [0037.695] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.695] lstrlenW (lpString=".dbf") returned 4 [0037.695] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.695] lstrlenW (lpString=".1cd") returned 4 [0037.695] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.695] lstrlenW (lpString=".jpg") returned 4 [0037.695] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.696] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.696] lstrlenW (lpString="WordMUI.xml") returned 11 [0037.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.696] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1800) returned 1 [0037.696] CloseHandle (hObject=0x164) returned 1 [0037.696] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0037.696] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.696] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.697] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0037.697] GetLastError () returned 0x0 [0037.697] ReadFile (in: hFile=0x164, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x708, lpOverlapped=0x0) returned 1 [0037.715] WriteFile (in: hFile=0x16c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x710, lpOverlapped=0x0) returned 1 [0037.716] ReadFile (in: hFile=0x164, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.716] WriteFile (in: hFile=0x16c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0037.716] SetEndOfFile (hFile=0x16c) returned 1 [0037.716] CloseHandle (hObject=0x16c) returned 1 [0037.717] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.717] SetEndOfFile (hFile=0x164) returned 1 [0037.718] CloseHandle (hObject=0x164) returned 1 [0037.718] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.766] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0037.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.766] lstrlenW (lpString=".doc") returned 4 [0037.767] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString=".docx") returned 5 [0037.767] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.767] lstrlenW (lpString=".pdf") returned 4 [0037.767] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString=".xls") returned 4 [0037.767] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString=".xlsx") returned 5 [0037.767] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.767] lstrlenW (lpString=".ppt") returned 4 [0037.767] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.767] lstrlenW (lpString=".zip") returned 4 [0037.767] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.767] lstrlenW (lpString=".rar") returned 4 [0037.767] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString=".bz2") returned 4 [0037.767] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString=".7z") returned 3 [0037.767] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.767] lstrlenW (lpString=".dbf") returned 4 [0037.767] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.767] lstrlenW (lpString=".1cd") returned 4 [0037.767] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.767] lstrlenW (lpString=".jpg") returned 4 [0037.767] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.767] lstrlenW (lpString=".doc") returned 4 [0037.767] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.767] lstrlenW (lpString=".docx") returned 5 [0037.767] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.768] lstrlenW (lpString=".pdf") returned 4 [0037.768] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.768] lstrlenW (lpString=".xls") returned 4 [0037.768] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.768] lstrlenW (lpString=".xlsx") returned 5 [0037.768] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.768] lstrlenW (lpString=".ppt") returned 4 [0037.768] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.768] lstrlenW (lpString=".zip") returned 4 [0037.768] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.768] lstrlenW (lpString=".rar") returned 4 [0037.768] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.768] lstrlenW (lpString=".bz2") returned 4 [0037.768] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.768] lstrlenW (lpString=".7z") returned 3 [0037.768] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.768] lstrlenW (lpString=".dbf") returned 4 [0037.768] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.768] lstrlenW (lpString=".1cd") returned 4 [0037.768] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0037.768] lstrlenW (lpString=".jpg") returned 4 [0037.768] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.768] Sleep (dwMilliseconds=0x64) [0037.878] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.878] lstrlenW (lpString="VisioMUI.xml") returned 12 [0037.878] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.950] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=9503) returned 1 [0037.950] CloseHandle (hObject=0x190) returned 1 [0037.950] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0037.950] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.950] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.951] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.951] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.951] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0037.951] GetLastError () returned 0x0 [0037.951] ReadFile (in: hFile=0x190, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x251f, lpOverlapped=0x0) returned 1 [0038.030] WriteFile (in: hFile=0x194, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0038.031] ReadFile (in: hFile=0x190, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.031] WriteFile (in: hFile=0x194, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0038.031] SetEndOfFile (hFile=0x194) returned 1 [0038.032] CloseHandle (hObject=0x194) returned 1 [0038.032] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.032] SetEndOfFile (hFile=0x190) returned 1 [0038.033] CloseHandle (hObject=0x190) returned 1 [0038.033] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0038.034] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.034] lstrlenW (lpString=".doc") returned 4 [0038.034] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".docx") returned 5 [0038.034] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0038.034] lstrlenW (lpString=".pdf") returned 4 [0038.034] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".xls") returned 4 [0038.034] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".xlsx") returned 5 [0038.034] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0038.034] lstrlenW (lpString=".ppt") returned 4 [0038.034] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.034] lstrlenW (lpString=".zip") returned 4 [0038.034] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.034] lstrlenW (lpString=".rar") returned 4 [0038.034] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".bz2") returned 4 [0038.034] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".7z") returned 3 [0038.034] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.034] lstrlenW (lpString=".dbf") returned 4 [0038.034] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.034] lstrlenW (lpString=".1cd") returned 4 [0038.034] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.035] lstrlenW (lpString=".jpg") returned 4 [0038.035] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.035] lstrlenW (lpString=".doc") returned 4 [0038.035] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString=".docx") returned 5 [0038.035] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0038.035] lstrlenW (lpString=".pdf") returned 4 [0038.035] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString=".xls") returned 4 [0038.035] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString=".xlsx") returned 5 [0038.035] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0038.035] lstrlenW (lpString=".ppt") returned 4 [0038.035] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.035] lstrlenW (lpString=".zip") returned 4 [0038.035] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.035] lstrlenW (lpString=".rar") returned 4 [0038.035] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString=".bz2") returned 4 [0038.035] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString=".7z") returned 3 [0038.035] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.035] lstrlenW (lpString=".dbf") returned 4 [0038.035] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.035] lstrlenW (lpString=".1cd") returned 4 [0038.035] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0038.035] lstrlenW (lpString=".jpg") returned 4 [0038.035] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.036] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0038.036] lstrlenW (lpString="GrooveMUI.xml") returned 13 [0038.036] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0038.037] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=913) returned 1 [0038.037] CloseHandle (hObject=0x190) returned 1 [0038.037] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 0x2020 [0038.037] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.037] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0038.037] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.038] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.038] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0038.038] GetLastError () returned 0x0 [0038.038] ReadFile (in: hFile=0x190, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x391, lpOverlapped=0x0) returned 1 [0038.082] WriteFile (in: hFile=0x194, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0038.083] ReadFile (in: hFile=0x190, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.083] WriteFile (in: hFile=0x194, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0038.083] SetEndOfFile (hFile=0x194) returned 1 [0038.083] CloseHandle (hObject=0x194) returned 1 [0038.084] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.084] SetEndOfFile (hFile=0x190) returned 1 [0038.085] CloseHandle (hObject=0x190) returned 1 [0038.085] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0038.085] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0038.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.085] lstrlenW (lpString=".doc") returned 4 [0038.085] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.085] lstrlenW (lpString=".docx") returned 5 [0038.085] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0038.085] lstrlenW (lpString=".pdf") returned 4 [0038.086] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString=".xls") returned 4 [0038.086] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString=".xlsx") returned 5 [0038.086] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0038.086] lstrlenW (lpString=".ppt") returned 4 [0038.086] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.086] lstrlenW (lpString=".zip") returned 4 [0038.086] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.086] lstrlenW (lpString=".rar") returned 4 [0038.086] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString=".bz2") returned 4 [0038.086] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString=".7z") returned 3 [0038.086] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.086] lstrlenW (lpString=".dbf") returned 4 [0038.086] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.086] lstrlenW (lpString=".1cd") returned 4 [0038.086] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.086] lstrlenW (lpString=".jpg") returned 4 [0038.086] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.086] lstrlenW (lpString=".doc") returned 4 [0038.086] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.086] lstrlenW (lpString=".docx") returned 5 [0038.096] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0038.096] lstrlenW (lpString=".pdf") returned 4 [0038.096] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.096] lstrlenW (lpString=".xls") returned 4 [0038.096] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.096] lstrlenW (lpString=".xlsx") returned 5 [0038.096] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0038.096] lstrlenW (lpString=".ppt") returned 4 [0038.096] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.096] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.096] lstrlenW (lpString=".zip") returned 4 [0038.096] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.096] lstrlenW (lpString=".rar") returned 4 [0038.096] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.096] lstrlenW (lpString=".bz2") returned 4 [0038.096] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.096] lstrlenW (lpString=".7z") returned 3 [0038.096] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.096] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.096] lstrlenW (lpString=".dbf") returned 4 [0038.096] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.096] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.096] lstrlenW (lpString=".1cd") returned 4 [0038.096] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.096] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0038.096] lstrlenW (lpString=".jpg") returned 4 [0038.096] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.097] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0038.097] lstrlenW (lpString="branding.xml") returned 12 [0038.097] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.120] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=596341) returned 1 [0038.120] CloseHandle (hObject=0x1a0) returned 1 [0038.120] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 0x2020 [0038.120] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.120] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.120] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.120] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.120] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.121] GetLastError () returned 0x0 [0038.121] ReadFile (in: hFile=0x1a0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x91975, lpOverlapped=0x0) returned 1 [0038.136] WriteFile (in: hFile=0x1a4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0038.317] ReadFile (in: hFile=0x1a0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.317] WriteFile (in: hFile=0x1a4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0038.317] SetEndOfFile (hFile=0x1a4) returned 1 [0039.036] CloseHandle (hObject=0x1a4) returned 1 [0039.586] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.586] SetEndOfFile (hFile=0x1a0) returned 1 [0039.611] CloseHandle (hObject=0x1a0) returned 1 [0039.611] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.465] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0040.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.474] lstrlenW (lpString=".doc") returned 4 [0040.474] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.474] lstrlenW (lpString=".docx") returned 5 [0040.474] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0040.474] lstrlenW (lpString=".pdf") returned 4 [0040.474] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.474] lstrlenW (lpString=".xls") returned 4 [0040.474] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.474] lstrlenW (lpString=".xlsx") returned 5 [0040.474] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0040.474] lstrlenW (lpString=".ppt") returned 4 [0040.474] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.474] lstrlenW (lpString=".zip") returned 4 [0040.474] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.474] lstrlenW (lpString=".rar") returned 4 [0040.485] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.485] lstrlenW (lpString=".bz2") returned 4 [0040.485] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.485] lstrlenW (lpString=".7z") returned 3 [0040.485] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.485] lstrlenW (lpString=".dbf") returned 4 [0040.485] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.495] lstrlenW (lpString=".1cd") returned 4 [0040.495] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.495] lstrlenW (lpString=".jpg") returned 4 [0040.495] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.504] lstrlenW (lpString=".doc") returned 4 [0040.504] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.505] lstrlenW (lpString=".docx") returned 5 [0040.505] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0040.505] lstrlenW (lpString=".pdf") returned 4 [0040.505] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.505] lstrlenW (lpString=".xls") returned 4 [0040.505] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.505] lstrlenW (lpString=".xlsx") returned 5 [0040.505] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0040.505] lstrlenW (lpString=".ppt") returned 4 [0040.505] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.505] lstrlenW (lpString=".zip") returned 4 [0040.505] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.505] lstrlenW (lpString=".rar") returned 4 [0040.505] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.505] lstrlenW (lpString=".bz2") returned 4 [0040.505] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.505] lstrlenW (lpString=".7z") returned 3 [0040.505] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.505] lstrlenW (lpString=".dbf") returned 4 [0040.505] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.505] lstrlenW (lpString=".1cd") returned 4 [0040.505] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0040.505] lstrlenW (lpString=".jpg") returned 4 [0040.505] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.506] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.506] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0040.506] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0040.508] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=819) returned 1 [0040.508] CloseHandle (hObject=0x1dc) returned 1 [0040.508] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0x2020 [0040.508] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.508] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0040.508] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.508] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.508] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0040.509] GetLastError () returned 0x0 [0040.509] ReadFile (in: hFile=0x1dc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x333, lpOverlapped=0x0) returned 1 [0040.510] WriteFile (in: hFile=0x1e4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x340, lpOverlapped=0x0) returned 1 [0040.512] ReadFile (in: hFile=0x1dc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.512] WriteFile (in: hFile=0x1e4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0040.512] SetEndOfFile (hFile=0x1e4) returned 1 [0040.513] CloseHandle (hObject=0x1e4) returned 1 [0040.513] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.513] SetEndOfFile (hFile=0x1dc) returned 1 [0040.514] CloseHandle (hObject=0x1dc) returned 1 [0040.514] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.514] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0040.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.514] lstrlenW (lpString=".doc") returned 4 [0040.514] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString=".docx") returned 5 [0040.515] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0040.515] lstrlenW (lpString=".pdf") returned 4 [0040.515] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString=".xls") returned 4 [0040.515] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString=".xlsx") returned 5 [0040.515] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0040.515] lstrlenW (lpString=".ppt") returned 4 [0040.515] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.515] lstrlenW (lpString=".zip") returned 4 [0040.515] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.515] lstrlenW (lpString=".rar") returned 4 [0040.515] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString=".bz2") returned 4 [0040.515] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString=".7z") returned 3 [0040.515] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.515] lstrlenW (lpString=".dbf") returned 4 [0040.515] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.515] lstrlenW (lpString=".1cd") returned 4 [0040.515] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.515] lstrlenW (lpString=".jpg") returned 4 [0040.515] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.515] lstrlenW (lpString=".doc") returned 4 [0040.515] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.515] lstrlenW (lpString=".docx") returned 5 [0040.515] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0040.515] lstrlenW (lpString=".pdf") returned 4 [0040.515] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.516] lstrlenW (lpString=".xls") returned 4 [0040.516] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.516] lstrlenW (lpString=".xlsx") returned 5 [0040.516] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0040.516] lstrlenW (lpString=".ppt") returned 4 [0040.516] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.516] lstrlenW (lpString=".zip") returned 4 [0040.516] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.516] lstrlenW (lpString=".rar") returned 4 [0040.516] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.516] lstrlenW (lpString=".bz2") returned 4 [0040.516] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.516] lstrlenW (lpString=".7z") returned 3 [0040.516] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.516] lstrlenW (lpString=".dbf") returned 4 [0040.516] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.516] lstrlenW (lpString=".1cd") returned 4 [0040.516] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0040.516] lstrlenW (lpString=".jpg") returned 4 [0040.516] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.516] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.516] lstrlenW (lpString="Setup.xml") returned 9 [0040.516] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0040.517] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2624) returned 1 [0040.517] CloseHandle (hObject=0x1dc) returned 1 [0040.517] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0040.517] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.517] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0040.517] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.517] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.517] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0040.517] GetLastError () returned 0x0 [0040.517] ReadFile (in: hFile=0x1dc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0xa40, lpOverlapped=0x0) returned 1 [0040.519] WriteFile (in: hFile=0x1e4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0040.522] ReadFile (in: hFile=0x1dc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.522] WriteFile (in: hFile=0x1e4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.522] SetEndOfFile (hFile=0x1e4) returned 1 [0040.522] CloseHandle (hObject=0x1e4) returned 1 [0040.524] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.524] SetEndOfFile (hFile=0x1dc) returned 1 [0040.524] CloseHandle (hObject=0x1dc) returned 1 [0040.525] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.525] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.525] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.525] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.525] lstrlenW (lpString=".doc") returned 4 [0040.525] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.525] lstrlenW (lpString=".docx") returned 5 [0040.525] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0040.525] lstrlenW (lpString=".pdf") returned 4 [0040.525] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.525] lstrlenW (lpString=".xls") returned 4 [0040.525] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.525] lstrlenW (lpString=".xlsx") returned 5 [0040.525] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0040.525] lstrlenW (lpString=".ppt") returned 4 [0040.525] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.525] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.525] lstrlenW (lpString=".zip") returned 4 [0040.525] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.525] lstrlenW (lpString=".rar") returned 4 [0040.525] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.525] lstrlenW (lpString=".bz2") returned 4 [0040.526] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString=".7z") returned 3 [0040.526] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.526] lstrlenW (lpString=".dbf") returned 4 [0040.526] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.526] lstrlenW (lpString=".1cd") returned 4 [0040.526] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.526] lstrlenW (lpString=".jpg") returned 4 [0040.526] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.526] lstrlenW (lpString=".doc") returned 4 [0040.526] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString=".docx") returned 5 [0040.526] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0040.526] lstrlenW (lpString=".pdf") returned 4 [0040.526] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString=".xls") returned 4 [0040.526] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString=".xlsx") returned 5 [0040.526] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0040.526] lstrlenW (lpString=".ppt") returned 4 [0040.526] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.526] lstrlenW (lpString=".zip") returned 4 [0040.526] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.526] lstrlenW (lpString=".rar") returned 4 [0040.526] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString=".bz2") returned 4 [0040.526] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.526] lstrlenW (lpString=".7z") returned 3 [0040.526] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.527] lstrlenW (lpString=".dbf") returned 4 [0040.527] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.527] lstrlenW (lpString=".1cd") returned 4 [0040.527] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.527] lstrlenW (lpString=".jpg") returned 4 [0040.527] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.527] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.527] lstrlenW (lpString="Office32WW.xml") returned 14 [0040.527] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0040.528] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=4274) returned 1 [0040.528] CloseHandle (hObject=0x1dc) returned 1 [0040.528] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0040.529] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.529] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0040.529] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.529] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.529] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0040.530] GetLastError () returned 0x0 [0040.530] ReadFile (in: hFile=0x1dc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0040.532] WriteFile (in: hFile=0x1e4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0040.532] ReadFile (in: hFile=0x1dc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.533] WriteFile (in: hFile=0x1e4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.533] SetEndOfFile (hFile=0x1e4) returned 1 [0040.533] CloseHandle (hObject=0x1e4) returned 1 [0040.533] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.533] SetEndOfFile (hFile=0x1dc) returned 1 [0040.534] CloseHandle (hObject=0x1dc) returned 1 [0040.534] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.535] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0040.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.535] lstrlenW (lpString=".doc") returned 4 [0040.535] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.535] lstrlenW (lpString=".docx") returned 5 [0040.535] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0040.535] lstrlenW (lpString=".pdf") returned 4 [0040.535] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.535] lstrlenW (lpString=".xls") returned 4 [0040.535] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.535] lstrlenW (lpString=".xlsx") returned 5 [0040.535] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0040.535] lstrlenW (lpString=".ppt") returned 4 [0040.535] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.535] lstrlenW (lpString=".zip") returned 4 [0040.535] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.535] lstrlenW (lpString=".rar") returned 4 [0040.535] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.535] lstrlenW (lpString=".bz2") returned 4 [0040.536] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString=".7z") returned 3 [0040.536] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.536] lstrlenW (lpString=".dbf") returned 4 [0040.536] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.536] lstrlenW (lpString=".1cd") returned 4 [0040.536] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.536] lstrlenW (lpString=".jpg") returned 4 [0040.536] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.536] lstrlenW (lpString=".doc") returned 4 [0040.536] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString=".docx") returned 5 [0040.536] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0040.536] lstrlenW (lpString=".pdf") returned 4 [0040.536] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString=".xls") returned 4 [0040.536] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString=".xlsx") returned 5 [0040.536] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0040.536] lstrlenW (lpString=".ppt") returned 4 [0040.536] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.536] lstrlenW (lpString=".zip") returned 4 [0040.536] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.536] lstrlenW (lpString=".rar") returned 4 [0040.536] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString=".bz2") returned 4 [0040.536] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.536] lstrlenW (lpString=".7z") returned 3 [0040.537] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.537] lstrlenW (lpString=".dbf") returned 4 [0040.537] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.537] lstrlenW (lpString=".1cd") returned 4 [0040.537] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0040.537] lstrlenW (lpString=".jpg") returned 4 [0040.537] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.537] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.537] lstrlenW (lpString="ProPlusrWW.xml") returned 14 [0040.537] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.033] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=16852) returned 1 [0041.041] CloseHandle (hObject=0x1f0) returned 1 [0041.041] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 0x2020 [0041.041] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.041] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.041] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.041] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.042] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.042] GetLastError () returned 0x0 [0041.042] ReadFile (in: hFile=0x1f0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0041.106] WriteFile (in: hFile=0x1c8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0041.108] ReadFile (in: hFile=0x1f0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.108] WriteFile (in: hFile=0x1c8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0041.108] SetEndOfFile (hFile=0x1c8) returned 1 [0041.108] CloseHandle (hObject=0x1c8) returned 1 [0041.109] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.109] SetEndOfFile (hFile=0x1f0) returned 1 [0041.110] CloseHandle (hObject=0x1f0) returned 1 [0041.110] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.110] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0041.110] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.110] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.110] lstrlenW (lpString=".doc") returned 4 [0041.110] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.110] lstrlenW (lpString=".docx") returned 5 [0041.110] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.110] lstrlenW (lpString=".pdf") returned 4 [0041.110] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString=".xls") returned 4 [0041.111] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString=".xlsx") returned 5 [0041.111] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.111] lstrlenW (lpString=".ppt") returned 4 [0041.111] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.111] lstrlenW (lpString=".zip") returned 4 [0041.111] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.111] lstrlenW (lpString=".rar") returned 4 [0041.111] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString=".bz2") returned 4 [0041.111] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString=".7z") returned 3 [0041.111] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.111] lstrlenW (lpString=".dbf") returned 4 [0041.111] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.111] lstrlenW (lpString=".1cd") returned 4 [0041.111] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.111] lstrlenW (lpString=".jpg") returned 4 [0041.111] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.111] lstrlenW (lpString=".doc") returned 4 [0041.111] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString=".docx") returned 5 [0041.111] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.111] lstrlenW (lpString=".pdf") returned 4 [0041.111] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString=".xls") returned 4 [0041.111] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.111] lstrlenW (lpString=".xlsx") returned 5 [0041.112] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.112] lstrlenW (lpString=".ppt") returned 4 [0041.112] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.112] lstrlenW (lpString=".zip") returned 4 [0041.112] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.112] lstrlenW (lpString=".rar") returned 4 [0041.112] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.112] lstrlenW (lpString=".bz2") returned 4 [0041.112] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.112] lstrlenW (lpString=".7z") returned 3 [0041.112] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.112] lstrlenW (lpString=".dbf") returned 4 [0041.112] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.112] lstrlenW (lpString=".1cd") returned 4 [0041.112] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0041.112] lstrlenW (lpString=".jpg") returned 4 [0041.112] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.112] lstrcmpiW (lpString1=".EPS", lpString2=".NcOv") returned -1 [0041.112] lstrlenW (lpString="MS.EPS") returned 6 [0041.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0041.120] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=15067) returned 1 [0041.120] CloseHandle (hObject=0x1fc) returned 1 [0041.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 0x20 [0041.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0041.121] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.121] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.124] GetLastError () returned 0x0 [0041.124] ReadFile (in: hFile=0x1fc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x3adb, lpOverlapped=0x0) returned 1 [0041.126] WriteFile (in: hFile=0x200, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x3ae0, lpOverlapped=0x0) returned 1 [0041.127] ReadFile (in: hFile=0x1fc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.127] WriteFile (in: hFile=0x200, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0041.127] SetEndOfFile (hFile=0x200) returned 1 [0041.127] CloseHandle (hObject=0x200) returned 1 [0041.128] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.128] SetEndOfFile (hFile=0x1fc) returned 1 [0041.129] CloseHandle (hObject=0x1fc) returned 1 [0041.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0041.129] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0041.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.130] lstrlenW (lpString=".doc") returned 4 [0041.130] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0041.130] lstrlenW (lpString=".docx") returned 5 [0041.130] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0041.130] lstrlenW (lpString=".pdf") returned 4 [0041.130] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0041.130] lstrlenW (lpString=".xls") returned 4 [0041.130] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0041.130] lstrlenW (lpString=".xlsx") returned 5 [0041.130] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0041.130] lstrlenW (lpString=".ppt") returned 4 [0041.130] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0041.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.130] lstrlenW (lpString=".zip") returned 4 [0041.130] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0041.130] lstrlenW (lpString=".rar") returned 4 [0041.130] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0041.130] lstrlenW (lpString=".bz2") returned 4 [0041.130] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0041.130] lstrlenW (lpString=".7z") returned 3 [0041.130] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0041.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.130] lstrlenW (lpString=".dbf") returned 4 [0041.130] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0041.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.130] lstrlenW (lpString=".1cd") returned 4 [0041.130] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0041.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.130] lstrlenW (lpString=".jpg") returned 4 [0041.130] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0041.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.131] lstrlenW (lpString=".doc") returned 4 [0041.131] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0041.131] lstrlenW (lpString=".docx") returned 5 [0041.131] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0041.131] lstrlenW (lpString=".pdf") returned 4 [0041.131] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0041.131] lstrlenW (lpString=".xls") returned 4 [0041.131] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0041.131] lstrlenW (lpString=".xlsx") returned 5 [0041.131] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0041.131] lstrlenW (lpString=".ppt") returned 4 [0041.131] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0041.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.131] lstrlenW (lpString=".zip") returned 4 [0041.131] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0041.131] lstrlenW (lpString=".rar") returned 4 [0041.131] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0041.131] lstrlenW (lpString=".bz2") returned 4 [0041.131] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0041.131] lstrlenW (lpString=".7z") returned 3 [0041.131] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0041.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.131] lstrlenW (lpString=".dbf") returned 4 [0041.131] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0041.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.131] lstrlenW (lpString=".1cd") returned 4 [0041.131] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0041.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0041.131] lstrlenW (lpString=".jpg") returned 4 [0041.131] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0041.131] lstrcmpiW (lpString1=".JPG", lpString2=".NcOv") returned -1 [0041.131] lstrlenW (lpString="MS.JPG") returned 6 [0041.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0041.132] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1061) returned 1 [0041.132] CloseHandle (hObject=0x1fc) returned 1 [0041.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 0x20 [0041.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0041.133] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.133] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.133] GetLastError () returned 0x0 [0041.133] ReadFile (in: hFile=0x1fc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x425, lpOverlapped=0x0) returned 1 [0041.135] WriteFile (in: hFile=0x200, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x430, lpOverlapped=0x0) returned 1 [0041.136] ReadFile (in: hFile=0x1fc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.136] WriteFile (in: hFile=0x200, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0041.136] SetEndOfFile (hFile=0x200) returned 1 [0041.136] CloseHandle (hObject=0x200) returned 1 [0041.137] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.137] SetEndOfFile (hFile=0x1fc) returned 1 [0041.138] CloseHandle (hObject=0x1fc) returned 1 [0041.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0041.138] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0041.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.138] lstrlenW (lpString=".doc") returned 4 [0041.138] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0041.138] lstrlenW (lpString=".docx") returned 5 [0041.138] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0041.138] lstrlenW (lpString=".pdf") returned 4 [0041.138] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0041.138] lstrlenW (lpString=".xls") returned 4 [0041.138] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0041.138] lstrlenW (lpString=".xlsx") returned 5 [0041.138] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0041.138] lstrlenW (lpString=".ppt") returned 4 [0041.138] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0041.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.139] lstrlenW (lpString=".zip") returned 4 [0041.139] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0041.139] lstrlenW (lpString=".rar") returned 4 [0041.139] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0041.139] lstrlenW (lpString=".bz2") returned 4 [0041.139] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0041.139] lstrlenW (lpString=".7z") returned 3 [0041.139] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0041.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.139] lstrlenW (lpString=".dbf") returned 4 [0041.139] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0041.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.139] lstrlenW (lpString=".1cd") returned 4 [0041.139] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0041.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.139] lstrlenW (lpString=".jpg") returned 4 [0041.139] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0041.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.139] lstrlenW (lpString=".doc") returned 4 [0041.139] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0041.139] lstrlenW (lpString=".docx") returned 5 [0041.139] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0041.139] lstrlenW (lpString=".pdf") returned 4 [0041.139] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0041.139] lstrlenW (lpString=".xls") returned 4 [0041.139] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0041.139] lstrlenW (lpString=".xlsx") returned 5 [0041.139] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0041.139] lstrlenW (lpString=".ppt") returned 4 [0041.139] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0041.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.139] lstrlenW (lpString=".zip") returned 4 [0041.139] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0041.140] lstrlenW (lpString=".rar") returned 4 [0041.140] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0041.140] lstrlenW (lpString=".bz2") returned 4 [0041.140] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0041.140] lstrlenW (lpString=".7z") returned 3 [0041.140] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0041.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.140] lstrlenW (lpString=".dbf") returned 4 [0041.140] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0041.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.140] lstrlenW (lpString=".1cd") returned 4 [0041.140] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0041.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0041.140] lstrlenW (lpString=".jpg") returned 4 [0041.140] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0041.140] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0041.140] lstrlenW (lpString="MS.PNG") returned 6 [0041.140] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0041.140] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1682) returned 1 [0041.140] CloseHandle (hObject=0x1fc) returned 1 [0041.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 0x20 [0041.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0041.141] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.141] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.141] GetLastError () returned 0x0 [0041.141] ReadFile (in: hFile=0x1fc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x692, lpOverlapped=0x0) returned 1 [0041.143] WriteFile (in: hFile=0x200, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0041.144] ReadFile (in: hFile=0x1fc, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.144] WriteFile (in: hFile=0x200, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0041.144] SetEndOfFile (hFile=0x200) returned 1 [0041.144] CloseHandle (hObject=0x200) returned 1 [0041.145] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.145] SetEndOfFile (hFile=0x1fc) returned 1 [0041.146] CloseHandle (hObject=0x1fc) returned 1 [0041.146] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0041.146] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0041.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.146] lstrlenW (lpString=".doc") returned 4 [0041.146] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0041.146] lstrlenW (lpString=".docx") returned 5 [0041.147] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0041.147] lstrlenW (lpString=".pdf") returned 4 [0041.147] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0041.147] lstrlenW (lpString=".xls") returned 4 [0041.147] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0041.147] lstrlenW (lpString=".xlsx") returned 5 [0041.147] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0041.147] lstrlenW (lpString=".ppt") returned 4 [0041.147] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0041.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.147] lstrlenW (lpString=".zip") returned 4 [0041.147] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0041.147] lstrlenW (lpString=".rar") returned 4 [0041.147] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0041.147] lstrlenW (lpString=".bz2") returned 4 [0041.147] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0041.147] lstrlenW (lpString=".7z") returned 3 [0041.147] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0041.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.147] lstrlenW (lpString=".dbf") returned 4 [0041.147] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0041.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.147] lstrlenW (lpString=".1cd") returned 4 [0041.147] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0041.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.147] lstrlenW (lpString=".jpg") returned 4 [0041.147] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0041.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.147] lstrlenW (lpString=".doc") returned 4 [0041.147] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0041.147] lstrlenW (lpString=".docx") returned 5 [0041.147] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0041.147] lstrlenW (lpString=".pdf") returned 4 [0041.147] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0041.148] lstrlenW (lpString=".xls") returned 4 [0041.148] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0041.148] lstrlenW (lpString=".xlsx") returned 5 [0041.148] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0041.148] lstrlenW (lpString=".ppt") returned 4 [0041.148] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0041.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.148] lstrlenW (lpString=".zip") returned 4 [0041.148] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0041.148] lstrlenW (lpString=".rar") returned 4 [0041.148] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0041.148] lstrlenW (lpString=".bz2") returned 4 [0041.148] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0041.148] lstrlenW (lpString=".7z") returned 3 [0041.148] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0041.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.148] lstrlenW (lpString=".dbf") returned 4 [0041.148] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0041.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.148] lstrlenW (lpString=".1cd") returned 4 [0041.148] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0041.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0041.148] lstrlenW (lpString=".jpg") returned 4 [0041.148] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0041.148] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0041.148] lstrlenW (lpString="Alphabet.xml") returned 12 [0041.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0041.530] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=791686) returned 1 [0041.530] CloseHandle (hObject=0x194) returned 1 [0041.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0041.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.530] lstrlenW (lpString=".doc") returned 4 [0041.530] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.530] lstrlenW (lpString=".docx") returned 5 [0041.530] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0041.530] lstrlenW (lpString=".pdf") returned 4 [0041.530] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.530] lstrlenW (lpString=".xls") returned 4 [0041.530] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.530] lstrlenW (lpString=".xlsx") returned 5 [0041.530] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0041.530] lstrlenW (lpString=".ppt") returned 4 [0041.530] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.530] lstrlenW (lpString=".zip") returned 4 [0041.531] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.531] lstrlenW (lpString=".rar") returned 4 [0041.531] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.531] lstrlenW (lpString=".bz2") returned 4 [0041.531] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.531] lstrlenW (lpString=".7z") returned 3 [0041.531] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.531] lstrlenW (lpString=".dbf") returned 4 [0041.531] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.531] lstrlenW (lpString=".1cd") returned 4 [0041.531] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.531] lstrlenW (lpString=".jpg") returned 4 [0041.531] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.531] lstrlenW (lpString=".doc") returned 4 [0041.531] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.531] lstrlenW (lpString=".docx") returned 5 [0041.531] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0041.531] lstrlenW (lpString=".pdf") returned 4 [0041.531] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.531] lstrlenW (lpString=".xls") returned 4 [0041.531] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.532] lstrlenW (lpString=".xlsx") returned 5 [0041.532] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0041.532] lstrlenW (lpString=".ppt") returned 4 [0041.532] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.532] lstrlenW (lpString=".zip") returned 4 [0041.532] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.532] lstrlenW (lpString=".rar") returned 4 [0041.532] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.532] lstrlenW (lpString=".bz2") returned 4 [0041.532] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.532] lstrlenW (lpString=".7z") returned 3 [0041.532] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.532] lstrlenW (lpString=".dbf") returned 4 [0041.532] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.532] lstrlenW (lpString=".1cd") returned 4 [0041.532] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0041.532] lstrlenW (lpString=".jpg") returned 4 [0041.532] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.532] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0041.533] lstrlenW (lpString="boxed-split.avi") returned 15 [0041.533] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0042.070] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=62976) returned 1 [0042.070] CloseHandle (hObject=0x194) returned 1 [0042.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0042.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.075] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.077] lstrlenW (lpString=".doc") returned 4 [0042.077] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.078] lstrlenW (lpString=".docx") returned 5 [0042.078] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0042.078] lstrlenW (lpString=".pdf") returned 4 [0042.079] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.079] lstrlenW (lpString=".xls") returned 4 [0042.079] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.079] lstrlenW (lpString=".xlsx") returned 5 [0042.087] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0042.087] lstrlenW (lpString=".ppt") returned 4 [0042.087] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.087] lstrlenW (lpString=".zip") returned 4 [0042.087] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.087] lstrlenW (lpString=".rar") returned 4 [0042.087] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.087] lstrlenW (lpString=".bz2") returned 4 [0042.087] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.087] lstrlenW (lpString=".7z") returned 3 [0042.087] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.087] lstrlenW (lpString=".dbf") returned 4 [0042.088] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.088] lstrlenW (lpString=".1cd") returned 4 [0042.088] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.088] lstrlenW (lpString=".jpg") returned 4 [0042.088] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.088] lstrlenW (lpString=".doc") returned 4 [0042.088] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString=".docx") returned 5 [0042.088] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0042.088] lstrlenW (lpString=".pdf") returned 4 [0042.088] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString=".xls") returned 4 [0042.088] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString=".xlsx") returned 5 [0042.088] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0042.088] lstrlenW (lpString=".ppt") returned 4 [0042.088] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.088] lstrlenW (lpString=".zip") returned 4 [0042.088] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString=".rar") returned 4 [0042.088] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString=".bz2") returned 4 [0042.088] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString=".7z") returned 3 [0042.088] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.088] lstrlenW (lpString=".dbf") returned 4 [0042.088] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.088] lstrlenW (lpString=".1cd") returned 4 [0042.088] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0042.089] lstrlenW (lpString=".jpg") returned 4 [0042.089] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.089] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.089] lstrlenW (lpString="zh-dayi.xml") returned 11 [0042.089] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0042.752] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=11067) returned 1 [0042.752] CloseHandle (hObject=0x1a0) returned 1 [0042.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml")) returned 0x20 [0042.753] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.753] lstrlenW (lpString=".doc") returned 4 [0042.753] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.753] lstrlenW (lpString=".docx") returned 5 [0042.753] lstrcmpiW (lpString1=".docx", lpString2="i.xml") returned -1 [0042.753] lstrlenW (lpString=".pdf") returned 4 [0042.753] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.753] lstrlenW (lpString=".xls") returned 4 [0042.753] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.753] lstrlenW (lpString=".xlsx") returned 5 [0042.753] lstrcmpiW (lpString1=".xlsx", lpString2="i.xml") returned -1 [0042.753] lstrlenW (lpString=".ppt") returned 4 [0042.753] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.753] lstrlenW (lpString=".zip") returned 4 [0042.753] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.753] lstrlenW (lpString=".rar") returned 4 [0042.753] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.753] lstrlenW (lpString=".bz2") returned 4 [0042.753] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.753] lstrlenW (lpString=".7z") returned 3 [0042.753] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.753] lstrlenW (lpString=".dbf") returned 4 [0042.753] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.753] lstrlenW (lpString=".1cd") returned 4 [0042.754] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.754] lstrlenW (lpString=".jpg") returned 4 [0042.754] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.754] lstrlenW (lpString=".doc") returned 4 [0042.754] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString=".docx") returned 5 [0042.754] lstrcmpiW (lpString1=".docx", lpString2="i.xml") returned -1 [0042.754] lstrlenW (lpString=".pdf") returned 4 [0042.754] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString=".xls") returned 4 [0042.754] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString=".xlsx") returned 5 [0042.754] lstrcmpiW (lpString1=".xlsx", lpString2="i.xml") returned -1 [0042.754] lstrlenW (lpString=".ppt") returned 4 [0042.754] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.754] lstrlenW (lpString=".zip") returned 4 [0042.754] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.754] lstrlenW (lpString=".rar") returned 4 [0042.754] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString=".bz2") returned 4 [0042.754] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString=".7z") returned 3 [0042.754] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.754] lstrlenW (lpString=".dbf") returned 4 [0042.754] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.754] lstrlenW (lpString=".1cd") returned 4 [0042.754] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0042.754] lstrlenW (lpString=".jpg") returned 4 [0042.755] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.755] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.755] lstrlenW (lpString="numbers.xml") returned 11 [0042.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0042.756] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=209) returned 1 [0042.756] CloseHandle (hObject=0x1c4) returned 1 [0042.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml")) returned 0x20 [0042.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.756] lstrlenW (lpString=".doc") returned 4 [0042.756] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.756] lstrlenW (lpString=".docx") returned 5 [0042.756] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0042.756] lstrlenW (lpString=".pdf") returned 4 [0042.756] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.756] lstrlenW (lpString=".xls") returned 4 [0042.756] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.756] lstrlenW (lpString=".xlsx") returned 5 [0042.756] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0042.756] lstrlenW (lpString=".ppt") returned 4 [0042.756] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.756] lstrlenW (lpString=".zip") returned 4 [0042.756] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.757] lstrlenW (lpString=".rar") returned 4 [0042.757] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString=".bz2") returned 4 [0042.757] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString=".7z") returned 3 [0042.757] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.757] lstrlenW (lpString=".dbf") returned 4 [0042.757] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.757] lstrlenW (lpString=".1cd") returned 4 [0042.757] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.757] lstrlenW (lpString=".jpg") returned 4 [0042.757] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.757] lstrlenW (lpString=".doc") returned 4 [0042.757] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString=".docx") returned 5 [0042.757] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0042.757] lstrlenW (lpString=".pdf") returned 4 [0042.757] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString=".xls") returned 4 [0042.757] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString=".xlsx") returned 5 [0042.757] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0042.757] lstrlenW (lpString=".ppt") returned 4 [0042.757] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.757] lstrlenW (lpString=".zip") returned 4 [0042.757] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.757] lstrlenW (lpString=".rar") returned 4 [0042.757] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString=".bz2") returned 4 [0042.757] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.757] lstrlenW (lpString=".7z") returned 3 [0042.758] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.758] lstrlenW (lpString=".dbf") returned 4 [0042.758] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.758] lstrlenW (lpString=".1cd") returned 4 [0042.758] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0042.758] lstrlenW (lpString=".jpg") returned 4 [0042.758] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.758] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.758] lstrlenW (lpString="oskmenubase.xml") returned 15 [0042.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0042.759] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=471) returned 1 [0042.759] CloseHandle (hObject=0x1c4) returned 1 [0042.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml")) returned 0x20 [0042.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.759] lstrlenW (lpString=".doc") returned 4 [0042.759] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.759] lstrlenW (lpString=".docx") returned 5 [0042.759] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0042.759] lstrlenW (lpString=".pdf") returned 4 [0042.759] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.759] lstrlenW (lpString=".xls") returned 4 [0042.759] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.759] lstrlenW (lpString=".xlsx") returned 5 [0042.759] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0042.759] lstrlenW (lpString=".ppt") returned 4 [0042.759] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.759] lstrlenW (lpString=".zip") returned 4 [0042.759] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.759] lstrlenW (lpString=".rar") returned 4 [0042.759] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString=".bz2") returned 4 [0042.760] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString=".7z") returned 3 [0042.760] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.760] lstrlenW (lpString=".dbf") returned 4 [0042.760] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.760] lstrlenW (lpString=".1cd") returned 4 [0042.760] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.760] lstrlenW (lpString=".jpg") returned 4 [0042.760] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.760] lstrlenW (lpString=".doc") returned 4 [0042.760] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString=".docx") returned 5 [0042.760] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0042.760] lstrlenW (lpString=".pdf") returned 4 [0042.760] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString=".xls") returned 4 [0042.760] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString=".xlsx") returned 5 [0042.760] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0042.760] lstrlenW (lpString=".ppt") returned 4 [0042.760] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.760] lstrlenW (lpString=".zip") returned 4 [0042.760] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.760] lstrlenW (lpString=".rar") returned 4 [0042.760] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString=".bz2") returned 4 [0042.760] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.760] lstrlenW (lpString=".7z") returned 3 [0042.761] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.761] lstrlenW (lpString=".dbf") returned 4 [0042.761] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.761] lstrlenW (lpString=".1cd") returned 4 [0042.761] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0042.761] lstrlenW (lpString=".jpg") returned 4 [0042.761] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.761] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.761] lstrlenW (lpString="oskmenu.xml") returned 11 [0042.761] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0042.761] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=215) returned 1 [0042.761] CloseHandle (hObject=0x1c4) returned 1 [0042.761] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml")) returned 0x20 [0042.761] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.761] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.762] lstrlenW (lpString=".doc") returned 4 [0042.762] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString=".docx") returned 5 [0042.762] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0042.762] lstrlenW (lpString=".pdf") returned 4 [0042.762] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString=".xls") returned 4 [0042.762] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString=".xlsx") returned 5 [0042.762] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0042.762] lstrlenW (lpString=".ppt") returned 4 [0042.762] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.762] lstrlenW (lpString=".zip") returned 4 [0042.762] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.762] lstrlenW (lpString=".rar") returned 4 [0042.762] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString=".bz2") returned 4 [0042.762] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString=".7z") returned 3 [0042.762] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.762] lstrlenW (lpString=".dbf") returned 4 [0042.762] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.762] lstrlenW (lpString=".1cd") returned 4 [0042.762] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.762] lstrlenW (lpString=".jpg") returned 4 [0042.762] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.762] lstrlenW (lpString=".doc") returned 4 [0042.762] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.762] lstrlenW (lpString=".docx") returned 5 [0042.763] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0042.763] lstrlenW (lpString=".pdf") returned 4 [0042.763] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.763] lstrlenW (lpString=".xls") returned 4 [0042.763] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.763] lstrlenW (lpString=".xlsx") returned 5 [0042.763] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0042.763] lstrlenW (lpString=".ppt") returned 4 [0042.763] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.763] lstrlenW (lpString=".zip") returned 4 [0042.763] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.763] lstrlenW (lpString=".rar") returned 4 [0042.763] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.763] lstrlenW (lpString=".bz2") returned 4 [0042.763] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.763] lstrlenW (lpString=".7z") returned 3 [0042.763] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.763] lstrlenW (lpString=".dbf") returned 4 [0042.763] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.763] lstrlenW (lpString=".1cd") returned 4 [0042.763] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0042.763] lstrlenW (lpString=".jpg") returned 4 [0042.763] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.763] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.763] lstrlenW (lpString="osknumpadbase.xml") returned 17 [0042.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0042.764] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1437) returned 1 [0042.764] CloseHandle (hObject=0x1c4) returned 1 [0042.764] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml")) returned 0x20 [0042.764] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.764] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.764] lstrlenW (lpString=".doc") returned 4 [0042.764] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.764] lstrlenW (lpString=".docx") returned 5 [0042.764] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0042.764] lstrlenW (lpString=".pdf") returned 4 [0042.764] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.764] lstrlenW (lpString=".xls") returned 4 [0042.764] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.764] lstrlenW (lpString=".xlsx") returned 5 [0042.764] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0042.764] lstrlenW (lpString=".ppt") returned 4 [0042.764] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.764] lstrlenW (lpString=".zip") returned 4 [0042.764] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.764] lstrlenW (lpString=".rar") returned 4 [0042.764] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.764] lstrlenW (lpString=".bz2") returned 4 [0042.764] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString=".7z") returned 3 [0042.765] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.765] lstrlenW (lpString=".dbf") returned 4 [0042.765] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.765] lstrlenW (lpString=".1cd") returned 4 [0042.765] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.765] lstrlenW (lpString=".jpg") returned 4 [0042.765] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.765] lstrlenW (lpString=".doc") returned 4 [0042.765] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString=".docx") returned 5 [0042.765] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0042.765] lstrlenW (lpString=".pdf") returned 4 [0042.765] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString=".xls") returned 4 [0042.765] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString=".xlsx") returned 5 [0042.765] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0042.765] lstrlenW (lpString=".ppt") returned 4 [0042.765] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.765] lstrlenW (lpString=".zip") returned 4 [0042.765] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.765] lstrlenW (lpString=".rar") returned 4 [0042.765] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString=".bz2") returned 4 [0042.765] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.765] lstrlenW (lpString=".7z") returned 3 [0042.765] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.766] lstrlenW (lpString=".dbf") returned 4 [0042.766] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.766] lstrlenW (lpString=".1cd") returned 4 [0042.766] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0042.766] lstrlenW (lpString=".jpg") returned 4 [0042.766] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.766] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.766] lstrlenW (lpString="osknumpad.xml") returned 13 [0042.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0042.767] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=219) returned 1 [0042.767] CloseHandle (hObject=0x1c4) returned 1 [0042.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml")) returned 0x20 [0042.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.767] lstrlenW (lpString=".doc") returned 4 [0042.767] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.767] lstrlenW (lpString=".docx") returned 5 [0042.767] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0042.767] lstrlenW (lpString=".pdf") returned 4 [0042.767] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.767] lstrlenW (lpString=".xls") returned 4 [0042.767] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.767] lstrlenW (lpString=".xlsx") returned 5 [0042.767] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0042.767] lstrlenW (lpString=".ppt") returned 4 [0042.767] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.767] lstrlenW (lpString=".zip") returned 4 [0042.767] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.767] lstrlenW (lpString=".rar") returned 4 [0042.768] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString=".bz2") returned 4 [0042.768] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString=".7z") returned 3 [0042.768] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.768] lstrlenW (lpString=".dbf") returned 4 [0042.768] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.768] lstrlenW (lpString=".1cd") returned 4 [0042.768] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.768] lstrlenW (lpString=".jpg") returned 4 [0042.768] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.768] lstrlenW (lpString=".doc") returned 4 [0042.768] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString=".docx") returned 5 [0042.768] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0042.768] lstrlenW (lpString=".pdf") returned 4 [0042.768] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString=".xls") returned 4 [0042.768] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString=".xlsx") returned 5 [0042.768] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0042.768] lstrlenW (lpString=".ppt") returned 4 [0042.768] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.768] lstrlenW (lpString=".zip") returned 4 [0042.768] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.768] lstrlenW (lpString=".rar") returned 4 [0042.768] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString=".bz2") returned 4 [0042.768] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.768] lstrlenW (lpString=".7z") returned 3 [0042.769] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.769] lstrlenW (lpString=".dbf") returned 4 [0042.769] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.769] lstrlenW (lpString=".1cd") returned 4 [0042.769] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0042.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0042.769] lstrlenW (lpString=".jpg") returned 4 [0042.769] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0042.769] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0042.769] lstrlenW (lpString="oskpredbase.xml") returned 15 [0042.769] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0042.770] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=924) returned 1 [0042.770] CloseHandle (hObject=0x1c4) returned 1 [0042.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml")) returned 0x20 [0042.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0042.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0042.770] lstrlenW (lpString=".doc") returned 4 [0042.770] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0042.770] lstrlenW (lpString=".docx") returned 5 [0042.770] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0042.770] lstrlenW (lpString=".pdf") returned 4 [0042.770] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0042.771] lstrlenW (lpString=".xls") returned 4 [0042.771] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0042.771] lstrlenW (lpString=".xlsx") returned 5 [0042.771] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0042.771] lstrlenW (lpString=".ppt") returned 4 [0042.771] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0042.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0042.771] lstrlenW (lpString=".zip") returned 4 [0042.771] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0042.771] lstrlenW (lpString=".rar") returned 4 [0042.771] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0042.771] lstrlenW (lpString=".bz2") returned 4 [0042.771] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0042.771] lstrlenW (lpString=".7z") returned 3 [0042.771] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0042.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0042.771] lstrlenW (lpString=".dbf") returned 4 [0042.771] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0042.771] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=215) returned 1 [0042.771] CloseHandle (hObject=0x1c4) returned 1 [0042.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml")) returned 0x20 [0042.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.772] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=749) returned 1 [0042.772] CloseHandle (hObject=0x1c4) returned 1 [0042.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml")) returned 0x20 [0042.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.773] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=749) returned 1 [0042.773] CloseHandle (hObject=0x1a0) returned 1 [0042.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml")) returned 0x20 [0042.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.773] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2764) returned 1 [0042.773] CloseHandle (hObject=0x1a0) returned 1 [0042.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml")) returned 0x20 [0042.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.774] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=591) returned 1 [0042.774] CloseHandle (hObject=0x1a0) returned 1 [0042.775] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml")) returned 0x20 [0042.775] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.775] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1166) returned 1 [0042.775] CloseHandle (hObject=0x1a0) returned 1 [0042.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml")) returned 0x20 [0042.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.776] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=207) returned 1 [0042.776] CloseHandle (hObject=0x1a0) returned 1 [0042.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml")) returned 0x20 [0042.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.777] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=46624) returned 1 [0042.777] CloseHandle (hObject=0x1a0) returned 1 [0042.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat")) returned 0x20 [0042.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.778] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=747280) returned 1 [0042.778] CloseHandle (hObject=0x1a0) returned 1 [0042.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat")) returned 0x20 [0042.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.779] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=815680) returned 1 [0042.779] CloseHandle (hObject=0x1a0) returned 1 [0042.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat")) returned 0x20 [0042.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.780] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1100368) returned 1 [0042.780] CloseHandle (hObject=0x1a0) returned 1 [0042.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat")) returned 0x20 [0042.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.781] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=3053984) returned 1 [0042.781] CloseHandle (hObject=0x1a0) returned 1 [0042.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat")) returned 0x20 [0042.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.781] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0042.781] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2227968) returned 1 [0042.781] CloseHandle (hObject=0x1a0) returned 1 [0042.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat")) returned 0x20 [0042.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.782] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0042.783] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=3195696) returned 1 [0042.783] CloseHandle (hObject=0x1a0) returned 1 [0042.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat")) returned 0x20 [0042.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.783] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0042.783] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=4120784) returned 1 [0042.783] CloseHandle (hObject=0x1a0) returned 1 [0042.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat")) returned 0x20 [0042.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.784] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0042.784] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2592) returned 1 [0042.784] CloseHandle (hObject=0x1a0) returned 1 [0042.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml")) returned 0x20 [0042.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.785] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2462) returned 1 [0042.785] CloseHandle (hObject=0x1a0) returned 1 [0042.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml")) returned 0x20 [0042.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.229] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0043.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0043.230] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.230] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.230] ReadFile (in: hFile=0x194, lpBuffer=0x34d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c6fc38, lpOverlapped=0x0 | out: lpBuffer=0x34d0058*, lpNumberOfBytesRead=0x2c6fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.235] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.235] ReadFile (in: hFile=0x194, lpBuffer=0x3510058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c6fc38, lpOverlapped=0x0 | out: lpBuffer=0x3510058*, lpNumberOfBytesRead=0x2c6fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.241] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2c6fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.241] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.241] ReadFile (in: hFile=0x194, lpBuffer=0x3550058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c6fc38, lpOverlapped=0x0 | out: lpBuffer=0x3550058*, lpNumberOfBytesRead=0x2c6fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.287] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.287] WriteFile (in: hFile=0x194, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2c6fcb0, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0043.489] SetEndOfFile (hFile=0x194) returned 1 [0043.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f560d0 [0043.489] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.490] WriteFile (in: hFile=0x194, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c6fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x2c6fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.491] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.491] WriteFile (in: hFile=0x194, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c6fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x2c6fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.493] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.493] WriteFile (in: hFile=0x194, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c6fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x2c6fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.496] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f560d0 | out: hHeap=0x500000) returned 1 [0043.496] CloseHandle (hObject=0x194) returned 1 [0044.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.017] lstrlenW (lpString=".doc") returned 4 [0044.017] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0044.017] lstrlenW (lpString=".docx") returned 5 [0044.017] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0044.017] lstrlenW (lpString=".pdf") returned 4 [0044.017] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0044.017] lstrlenW (lpString=".xls") returned 4 [0044.017] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0044.017] lstrlenW (lpString=".xlsx") returned 5 [0044.017] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0044.017] lstrlenW (lpString=".ppt") returned 4 [0044.017] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0044.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.017] lstrlenW (lpString=".zip") returned 4 [0044.017] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0044.017] lstrlenW (lpString=".rar") returned 4 [0044.017] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0044.017] lstrlenW (lpString=".bz2") returned 4 [0044.017] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0044.017] lstrlenW (lpString=".7z") returned 3 [0044.017] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0044.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.017] lstrlenW (lpString=".dbf") returned 4 [0044.017] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.018] lstrlenW (lpString=".1cd") returned 4 [0044.018] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0044.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.018] lstrlenW (lpString=".jpg") returned 4 [0044.018] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.018] lstrlenW (lpString=".doc") returned 4 [0044.018] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString=".docx") returned 5 [0044.018] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0044.018] lstrlenW (lpString=".pdf") returned 4 [0044.018] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString=".xls") returned 4 [0044.018] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString=".xlsx") returned 5 [0044.018] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0044.018] lstrlenW (lpString=".ppt") returned 4 [0044.018] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.018] lstrlenW (lpString=".zip") returned 4 [0044.018] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString=".rar") returned 4 [0044.018] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString=".bz2") returned 4 [0044.018] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0044.018] lstrlenW (lpString=".7z") returned 3 [0044.018] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0044.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.018] lstrlenW (lpString=".dbf") returned 4 [0044.018] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0044.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.018] lstrlenW (lpString=".1cd") returned 4 [0044.018] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0044.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0044.019] lstrlenW (lpString=".jpg") returned 4 [0044.019] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0044.019] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.019] lstrlenW (lpString="BRANDING.XML") returned 12 [0044.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.047] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=596341) returned 1 [0044.047] CloseHandle (hObject=0x200) returned 1 [0044.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 0x20 [0044.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.047] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.047] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.048] GetLastError () returned 0x0 [0044.048] ReadFile (in: hFile=0x200, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x91975, lpOverlapped=0x0) returned 1 [0044.061] WriteFile (in: hFile=0x1f4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0044.071] ReadFile (in: hFile=0x200, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.071] WriteFile (in: hFile=0x1f4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.072] SetEndOfFile (hFile=0x1f4) returned 1 [0044.072] CloseHandle (hObject=0x1f4) returned 1 [0044.236] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.236] SetEndOfFile (hFile=0x200) returned 1 [0044.359] CloseHandle (hObject=0x200) returned 1 [0044.359] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.359] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0044.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.438] lstrlenW (lpString=".doc") returned 4 [0044.438] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.438] lstrlenW (lpString=".docx") returned 5 [0044.438] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0044.438] lstrlenW (lpString=".pdf") returned 4 [0044.438] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.438] lstrlenW (lpString=".xls") returned 4 [0044.438] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.439] lstrlenW (lpString=".xlsx") returned 5 [0044.439] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0044.439] lstrlenW (lpString=".ppt") returned 4 [0044.439] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.439] lstrlenW (lpString=".zip") returned 4 [0044.439] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.439] lstrlenW (lpString=".rar") returned 4 [0044.439] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.439] lstrlenW (lpString=".bz2") returned 4 [0044.439] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.439] lstrlenW (lpString=".7z") returned 3 [0044.439] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.439] lstrlenW (lpString=".dbf") returned 4 [0044.439] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.439] lstrlenW (lpString=".1cd") returned 4 [0044.439] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.439] lstrlenW (lpString=".jpg") returned 4 [0044.439] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.439] lstrlenW (lpString=".doc") returned 4 [0044.439] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.439] lstrlenW (lpString=".docx") returned 5 [0044.439] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0044.439] lstrlenW (lpString=".pdf") returned 4 [0044.440] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.440] lstrlenW (lpString=".xls") returned 4 [0044.440] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.440] lstrlenW (lpString=".xlsx") returned 5 [0044.440] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0044.440] lstrlenW (lpString=".ppt") returned 4 [0044.440] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.440] lstrlenW (lpString=".zip") returned 4 [0044.440] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.440] lstrlenW (lpString=".rar") returned 4 [0044.440] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.440] lstrlenW (lpString=".bz2") returned 4 [0044.440] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.440] lstrlenW (lpString=".7z") returned 3 [0044.440] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.440] lstrlenW (lpString=".dbf") returned 4 [0044.440] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.440] lstrlenW (lpString=".1cd") returned 4 [0044.440] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0044.440] lstrlenW (lpString=".jpg") returned 4 [0044.440] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.440] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.440] lstrlenW (lpString="SETUP.XML") returned 9 [0044.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.941] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=9352) returned 1 [0044.941] CloseHandle (hObject=0x19c) returned 1 [0044.941] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 0x20 [0044.941] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.941] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.941] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0044.941] GetLastError () returned 0x0 [0044.942] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x2488, lpOverlapped=0x0) returned 1 [0044.943] WriteFile (in: hFile=0x1e8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0044.944] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.944] WriteFile (in: hFile=0x1e8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0044.945] SetEndOfFile (hFile=0x1e8) returned 1 [0044.945] CloseHandle (hObject=0x1e8) returned 1 [0044.946] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.946] SetEndOfFile (hFile=0x19c) returned 1 [0044.947] CloseHandle (hObject=0x19c) returned 1 [0044.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.947] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0044.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.947] lstrlenW (lpString=".doc") returned 4 [0044.947] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.947] lstrlenW (lpString=".docx") returned 5 [0044.947] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0044.947] lstrlenW (lpString=".pdf") returned 4 [0044.947] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.947] lstrlenW (lpString=".xls") returned 4 [0044.947] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.947] lstrlenW (lpString=".xlsx") returned 5 [0044.947] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0044.947] lstrlenW (lpString=".ppt") returned 4 [0044.947] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.947] lstrlenW (lpString=".zip") returned 4 [0044.948] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.948] lstrlenW (lpString=".rar") returned 4 [0044.948] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString=".bz2") returned 4 [0044.948] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString=".7z") returned 3 [0044.948] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.948] lstrlenW (lpString=".dbf") returned 4 [0044.948] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.948] lstrlenW (lpString=".1cd") returned 4 [0044.948] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.948] lstrlenW (lpString=".jpg") returned 4 [0044.948] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.948] lstrlenW (lpString=".doc") returned 4 [0044.948] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString=".docx") returned 5 [0044.948] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0044.948] lstrlenW (lpString=".pdf") returned 4 [0044.948] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString=".xls") returned 4 [0044.948] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString=".xlsx") returned 5 [0044.948] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0044.948] lstrlenW (lpString=".ppt") returned 4 [0044.948] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.948] lstrlenW (lpString=".zip") returned 4 [0044.948] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.948] lstrlenW (lpString=".rar") returned 4 [0044.948] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.948] lstrlenW (lpString=".bz2") returned 4 [0044.949] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.949] lstrlenW (lpString=".7z") returned 3 [0044.949] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.949] lstrlenW (lpString=".dbf") returned 4 [0044.949] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.949] lstrlenW (lpString=".1cd") returned 4 [0044.949] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0044.949] lstrlenW (lpString=".jpg") returned 4 [0044.949] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.949] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.949] lstrlenW (lpString="Office32MUI.XML") returned 15 [0044.949] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.950] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1383) returned 1 [0044.950] CloseHandle (hObject=0x19c) returned 1 [0044.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 0x20 [0044.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.951] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.951] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.953] GetLastError () returned 0x0 [0044.953] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x567, lpOverlapped=0x0) returned 1 [0044.954] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x570, lpOverlapped=0x0) returned 1 [0044.955] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.955] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0044.955] SetEndOfFile (hFile=0x188) returned 1 [0044.956] CloseHandle (hObject=0x188) returned 1 [0044.956] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.957] SetEndOfFile (hFile=0x19c) returned 1 [0044.957] CloseHandle (hObject=0x19c) returned 1 [0044.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.959] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0044.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.959] lstrlenW (lpString=".doc") returned 4 [0044.959] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.959] lstrlenW (lpString=".docx") returned 5 [0044.959] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0044.959] lstrlenW (lpString=".pdf") returned 4 [0044.959] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.959] lstrlenW (lpString=".xls") returned 4 [0044.959] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.959] lstrlenW (lpString=".xlsx") returned 5 [0044.959] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0044.959] lstrlenW (lpString=".ppt") returned 4 [0044.959] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.960] lstrlenW (lpString=".zip") returned 4 [0044.960] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.960] lstrlenW (lpString=".rar") returned 4 [0044.960] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString=".bz2") returned 4 [0044.960] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString=".7z") returned 3 [0044.960] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.960] lstrlenW (lpString=".dbf") returned 4 [0044.960] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.960] lstrlenW (lpString=".1cd") returned 4 [0044.960] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.960] lstrlenW (lpString=".jpg") returned 4 [0044.960] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.960] lstrlenW (lpString=".doc") returned 4 [0044.960] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString=".docx") returned 5 [0044.960] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0044.960] lstrlenW (lpString=".pdf") returned 4 [0044.960] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString=".xls") returned 4 [0044.960] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.960] lstrlenW (lpString=".xlsx") returned 5 [0044.960] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0044.960] lstrlenW (lpString=".ppt") returned 4 [0044.961] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.961] lstrlenW (lpString=".zip") returned 4 [0044.961] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.961] lstrlenW (lpString=".rar") returned 4 [0044.961] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.961] lstrlenW (lpString=".bz2") returned 4 [0044.961] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.961] lstrlenW (lpString=".7z") returned 3 [0044.961] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.961] lstrlenW (lpString=".dbf") returned 4 [0044.961] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.961] lstrlenW (lpString=".1cd") returned 4 [0044.961] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0044.961] lstrlenW (lpString=".jpg") returned 4 [0044.961] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.961] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.961] lstrlenW (lpString="SETUP.XML") returned 9 [0044.961] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.962] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2362) returned 1 [0044.962] CloseHandle (hObject=0x19c) returned 1 [0044.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 0x20 [0044.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.962] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.962] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.963] GetLastError () returned 0x0 [0044.963] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x93a, lpOverlapped=0x0) returned 1 [0044.964] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x940, lpOverlapped=0x0) returned 1 [0044.965] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.965] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0044.965] SetEndOfFile (hFile=0x188) returned 1 [0044.966] CloseHandle (hObject=0x188) returned 1 [0044.966] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.966] SetEndOfFile (hFile=0x19c) returned 1 [0044.967] CloseHandle (hObject=0x19c) returned 1 [0044.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.968] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.968] lstrlenW (lpString=".doc") returned 4 [0044.968] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.968] lstrlenW (lpString=".docx") returned 5 [0044.968] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0044.968] lstrlenW (lpString=".pdf") returned 4 [0044.968] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.968] lstrlenW (lpString=".xls") returned 4 [0044.968] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.968] lstrlenW (lpString=".xlsx") returned 5 [0044.968] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0044.968] lstrlenW (lpString=".ppt") returned 4 [0044.968] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.968] lstrlenW (lpString=".zip") returned 4 [0044.968] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.968] lstrlenW (lpString=".rar") returned 4 [0044.969] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString=".bz2") returned 4 [0044.969] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString=".7z") returned 3 [0044.969] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.969] lstrlenW (lpString=".dbf") returned 4 [0044.969] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.969] lstrlenW (lpString=".1cd") returned 4 [0044.969] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.969] lstrlenW (lpString=".jpg") returned 4 [0044.969] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.969] lstrlenW (lpString=".doc") returned 4 [0044.969] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString=".docx") returned 5 [0044.969] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0044.969] lstrlenW (lpString=".pdf") returned 4 [0044.969] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString=".xls") returned 4 [0044.969] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString=".xlsx") returned 5 [0044.969] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0044.969] lstrlenW (lpString=".ppt") returned 4 [0044.969] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.969] lstrlenW (lpString=".zip") returned 4 [0044.970] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.970] lstrlenW (lpString=".rar") returned 4 [0044.970] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.970] lstrlenW (lpString=".bz2") returned 4 [0044.970] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.970] lstrlenW (lpString=".7z") returned 3 [0044.970] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.970] lstrlenW (lpString=".dbf") returned 4 [0044.970] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.970] lstrlenW (lpString=".1cd") returned 4 [0044.970] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0044.970] lstrlenW (lpString=".jpg") returned 4 [0044.970] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.970] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.970] lstrlenW (lpString="Office32WW.XML") returned 14 [0044.970] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.971] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=4274) returned 1 [0044.971] CloseHandle (hObject=0x19c) returned 1 [0044.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 0x20 [0044.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.971] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.971] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.971] GetLastError () returned 0x0 [0044.972] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0044.974] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0044.975] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.975] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0044.975] SetEndOfFile (hFile=0x188) returned 1 [0044.975] CloseHandle (hObject=0x188) returned 1 [0044.976] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.976] SetEndOfFile (hFile=0x19c) returned 1 [0044.977] CloseHandle (hObject=0x19c) returned 1 [0044.977] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0044.977] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0044.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.977] lstrlenW (lpString=".doc") returned 4 [0044.977] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString=".docx") returned 5 [0044.978] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0044.978] lstrlenW (lpString=".pdf") returned 4 [0044.978] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString=".xls") returned 4 [0044.978] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString=".xlsx") returned 5 [0044.978] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0044.978] lstrlenW (lpString=".ppt") returned 4 [0044.978] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.978] lstrlenW (lpString=".zip") returned 4 [0044.978] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.978] lstrlenW (lpString=".rar") returned 4 [0044.978] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString=".bz2") returned 4 [0044.978] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString=".7z") returned 3 [0044.978] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.978] lstrlenW (lpString=".dbf") returned 4 [0044.978] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.978] lstrlenW (lpString=".1cd") returned 4 [0044.978] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.978] lstrlenW (lpString=".jpg") returned 4 [0044.978] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.978] lstrlenW (lpString=".doc") returned 4 [0044.979] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0044.979] lstrlenW (lpString=".docx") returned 5 [0044.979] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0044.979] lstrlenW (lpString=".pdf") returned 4 [0044.979] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0044.979] lstrlenW (lpString=".xls") returned 4 [0044.979] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0044.979] lstrlenW (lpString=".xlsx") returned 5 [0044.979] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0044.979] lstrlenW (lpString=".ppt") returned 4 [0044.979] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0044.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.979] lstrlenW (lpString=".zip") returned 4 [0044.979] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0044.979] lstrlenW (lpString=".rar") returned 4 [0044.979] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0044.979] lstrlenW (lpString=".bz2") returned 4 [0044.979] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0044.979] lstrlenW (lpString=".7z") returned 3 [0044.979] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0044.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.979] lstrlenW (lpString=".dbf") returned 4 [0044.979] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0044.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.979] lstrlenW (lpString=".1cd") returned 4 [0044.979] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0044.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0044.979] lstrlenW (lpString=".jpg") returned 4 [0044.979] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0044.980] lstrcmpiW (lpString1=".XML", lpString2=".NcOv") returned 1 [0044.980] lstrlenW (lpString="OneNoteMUI.XML") returned 14 [0044.980] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.980] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1606) returned 1 [0044.980] CloseHandle (hObject=0x19c) returned 1 [0044.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 0x20 [0044.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.980] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0044.980] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.980] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0046.877] GetLastError () returned 0x0 [0046.877] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x646, lpOverlapped=0x0) returned 1 [0047.058] WriteFile (in: hFile=0x1a0, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x650, lpOverlapped=0x0) returned 1 [0047.775] ReadFile (in: hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.775] WriteFile (in: hFile=0x1a0, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0047.775] SetEndOfFile (hFile=0x1a0) returned 1 [0047.775] CloseHandle (hObject=0x1a0) returned 1 [0047.776] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.776] SetEndOfFile (hFile=0x19c) returned 1 [0047.777] CloseHandle (hObject=0x19c) returned 1 [0047.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0047.777] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0047.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.777] lstrlenW (lpString=".doc") returned 4 [0047.777] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0047.777] lstrlenW (lpString=".docx") returned 5 [0047.777] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0047.778] lstrlenW (lpString=".pdf") returned 4 [0047.778] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString=".xls") returned 4 [0047.778] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString=".xlsx") returned 5 [0047.778] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0047.778] lstrlenW (lpString=".ppt") returned 4 [0047.778] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.778] lstrlenW (lpString=".zip") returned 4 [0047.778] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0047.778] lstrlenW (lpString=".rar") returned 4 [0047.778] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString=".bz2") returned 4 [0047.778] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString=".7z") returned 3 [0047.778] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.778] lstrlenW (lpString=".dbf") returned 4 [0047.778] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.778] lstrlenW (lpString=".1cd") returned 4 [0047.778] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.778] lstrlenW (lpString=".jpg") returned 4 [0047.778] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.778] lstrlenW (lpString=".doc") returned 4 [0047.778] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString=".docx") returned 5 [0047.778] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0047.778] lstrlenW (lpString=".pdf") returned 4 [0047.778] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0047.778] lstrlenW (lpString=".xls") returned 4 [0047.779] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0047.779] lstrlenW (lpString=".xlsx") returned 5 [0047.779] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0047.779] lstrlenW (lpString=".ppt") returned 4 [0047.779] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0047.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.779] lstrlenW (lpString=".zip") returned 4 [0047.779] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0047.779] lstrlenW (lpString=".rar") returned 4 [0047.779] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0047.779] lstrlenW (lpString=".bz2") returned 4 [0047.779] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0047.779] lstrlenW (lpString=".7z") returned 3 [0047.779] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0047.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.779] lstrlenW (lpString=".dbf") returned 4 [0047.779] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0047.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.779] lstrlenW (lpString=".1cd") returned 4 [0047.779] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0047.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0047.779] lstrlenW (lpString=".jpg") returned 4 [0047.779] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0047.779] lstrcmpiW (lpString1=".emf", lpString2=".NcOv") returned -1 [0047.779] lstrlenW (lpString="Graph.emf") returned 9 [0047.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0048.308] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=116724) returned 1 [0048.308] CloseHandle (hObject=0x1ec) returned 1 [0048.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf")) returned 0x20 [0048.310] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0048.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.316] lstrlenW (lpString=".doc") returned 4 [0048.316] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0048.316] lstrlenW (lpString=".docx") returned 5 [0048.317] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0048.317] lstrlenW (lpString=".pdf") returned 4 [0048.317] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0048.321] lstrlenW (lpString=".xls") returned 4 [0048.321] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0048.321] lstrlenW (lpString=".xlsx") returned 5 [0048.321] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0048.321] lstrlenW (lpString=".ppt") returned 4 [0048.321] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0048.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.321] lstrlenW (lpString=".zip") returned 4 [0048.321] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0048.321] lstrlenW (lpString=".rar") returned 4 [0048.321] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0048.321] lstrlenW (lpString=".bz2") returned 4 [0048.321] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0048.321] lstrlenW (lpString=".7z") returned 3 [0048.321] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0048.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.321] lstrlenW (lpString=".dbf") returned 4 [0048.321] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0048.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.321] lstrlenW (lpString=".1cd") returned 4 [0048.321] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0048.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.324] lstrlenW (lpString=".jpg") returned 4 [0048.324] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0048.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.328] lstrlenW (lpString=".doc") returned 4 [0048.328] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0048.328] lstrlenW (lpString=".docx") returned 5 [0048.328] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0048.328] lstrlenW (lpString=".pdf") returned 4 [0048.328] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0048.328] lstrlenW (lpString=".xls") returned 4 [0048.331] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0048.331] lstrlenW (lpString=".xlsx") returned 5 [0048.331] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0048.331] lstrlenW (lpString=".ppt") returned 4 [0048.331] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0048.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.332] lstrlenW (lpString=".zip") returned 4 [0048.332] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0048.332] lstrlenW (lpString=".rar") returned 4 [0048.332] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0048.332] lstrlenW (lpString=".bz2") returned 4 [0048.332] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0048.334] lstrlenW (lpString=".7z") returned 3 [0048.334] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0048.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.334] lstrlenW (lpString=".dbf") returned 4 [0048.334] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0048.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.335] lstrlenW (lpString=".1cd") returned 4 [0048.336] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0048.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0048.336] lstrlenW (lpString=".jpg") returned 4 [0048.336] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0048.336] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0048.336] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0048.336] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=34916) returned 1 [0048.336] CloseHandle (hObject=0x1ec) returned 1 [0048.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 0x20 [0048.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0048.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0048.337] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.337] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.337] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0048.337] GetLastError () returned 0x0 [0048.337] ReadFile (in: hFile=0x1ec, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x8864, lpOverlapped=0x0) returned 1 [0048.752] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x8870, lpOverlapped=0x0) returned 1 [0048.762] ReadFile (in: hFile=0x1ec, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.762] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.762] SetEndOfFile (hFile=0x1f8) returned 1 [0048.762] CloseHandle (hObject=0x1f8) returned 1 [0048.763] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.763] SetEndOfFile (hFile=0x1ec) returned 1 [0048.764] CloseHandle (hObject=0x1ec) returned 1 [0048.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0048.764] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0048.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.765] lstrlenW (lpString=".doc") returned 4 [0048.765] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.765] lstrlenW (lpString=".docx") returned 5 [0048.765] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.765] lstrlenW (lpString=".pdf") returned 4 [0048.765] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.765] lstrlenW (lpString=".xls") returned 4 [0048.765] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.765] lstrlenW (lpString=".xlsx") returned 5 [0048.765] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.765] lstrlenW (lpString=".ppt") returned 4 [0048.765] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.765] lstrlenW (lpString=".zip") returned 4 [0048.765] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.765] lstrlenW (lpString=".rar") returned 4 [0048.765] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.765] lstrlenW (lpString=".bz2") returned 4 [0048.765] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.765] lstrlenW (lpString=".7z") returned 3 [0048.765] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.765] lstrlenW (lpString=".dbf") returned 4 [0048.765] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.765] lstrlenW (lpString=".1cd") returned 4 [0048.765] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.765] lstrlenW (lpString=".jpg") returned 4 [0048.765] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.765] lstrlenW (lpString=".doc") returned 4 [0048.765] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.765] lstrlenW (lpString=".docx") returned 5 [0048.766] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.766] lstrlenW (lpString=".pdf") returned 4 [0048.766] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.766] lstrlenW (lpString=".xls") returned 4 [0048.766] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.766] lstrlenW (lpString=".xlsx") returned 5 [0048.766] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.766] lstrlenW (lpString=".ppt") returned 4 [0048.766] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.766] lstrlenW (lpString=".zip") returned 4 [0048.766] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.766] lstrlenW (lpString=".rar") returned 4 [0048.766] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.766] lstrlenW (lpString=".bz2") returned 4 [0048.766] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.766] lstrlenW (lpString=".7z") returned 3 [0048.766] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.766] lstrlenW (lpString=".dbf") returned 4 [0048.766] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.766] lstrlenW (lpString=".1cd") returned 4 [0048.766] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0048.766] lstrlenW (lpString=".jpg") returned 4 [0048.766] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.766] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0048.766] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.197] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=20627) returned 1 [0049.197] CloseHandle (hObject=0x20c) returned 1 [0049.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 0x20 [0049.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.198] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.198] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.198] GetLastError () returned 0x0 [0049.198] ReadFile (in: hFile=0x20c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x5093, lpOverlapped=0x0) returned 1 [0049.209] WriteFile (in: hFile=0x208, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x50a0, lpOverlapped=0x0) returned 1 [0049.211] ReadFile (in: hFile=0x20c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.211] WriteFile (in: hFile=0x208, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.211] SetEndOfFile (hFile=0x208) returned 1 [0049.211] CloseHandle (hObject=0x208) returned 1 [0049.211] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.211] SetEndOfFile (hFile=0x20c) returned 1 [0049.212] CloseHandle (hObject=0x20c) returned 1 [0049.212] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.213] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0049.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.213] lstrlenW (lpString=".doc") returned 4 [0049.213] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.213] lstrlenW (lpString=".docx") returned 5 [0049.213] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.213] lstrlenW (lpString=".pdf") returned 4 [0049.213] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.213] lstrlenW (lpString=".xls") returned 4 [0049.213] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.213] lstrlenW (lpString=".xlsx") returned 5 [0049.213] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.213] lstrlenW (lpString=".ppt") returned 4 [0049.213] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.213] lstrlenW (lpString=".zip") returned 4 [0049.213] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.213] lstrlenW (lpString=".rar") returned 4 [0049.213] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.213] lstrlenW (lpString=".bz2") returned 4 [0049.213] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.213] lstrlenW (lpString=".7z") returned 3 [0049.213] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.213] lstrlenW (lpString=".dbf") returned 4 [0049.214] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.214] lstrlenW (lpString=".1cd") returned 4 [0049.214] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.214] lstrlenW (lpString=".jpg") returned 4 [0049.214] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.214] lstrlenW (lpString=".doc") returned 4 [0049.214] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.214] lstrlenW (lpString=".docx") returned 5 [0049.214] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.214] lstrlenW (lpString=".pdf") returned 4 [0049.214] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.214] lstrlenW (lpString=".xls") returned 4 [0049.214] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.214] lstrlenW (lpString=".xlsx") returned 5 [0049.214] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.214] lstrlenW (lpString=".ppt") returned 4 [0049.214] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.214] lstrlenW (lpString=".zip") returned 4 [0049.214] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.214] lstrlenW (lpString=".rar") returned 4 [0049.214] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.214] lstrlenW (lpString=".bz2") returned 4 [0049.214] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.214] lstrlenW (lpString=".7z") returned 3 [0049.214] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.214] lstrlenW (lpString=".dbf") returned 4 [0049.214] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.214] lstrlenW (lpString=".1cd") returned 4 [0049.214] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0049.215] lstrlenW (lpString=".jpg") returned 4 [0049.215] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.215] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0049.215] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0049.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.215] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=3479) returned 1 [0049.215] CloseHandle (hObject=0x20c) returned 1 [0049.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 0x20 [0049.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.215] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.216] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.216] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.222] GetLastError () returned 0x0 [0049.222] ReadFile (in: hFile=0x20c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0xd97, lpOverlapped=0x0) returned 1 [0049.256] WriteFile (in: hFile=0x200, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xda0, lpOverlapped=0x0) returned 1 [0049.257] ReadFile (in: hFile=0x20c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.257] WriteFile (in: hFile=0x200, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.257] SetEndOfFile (hFile=0x200) returned 1 [0049.257] CloseHandle (hObject=0x200) returned 1 [0049.258] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.258] SetEndOfFile (hFile=0x20c) returned 1 [0049.258] CloseHandle (hObject=0x20c) returned 1 [0049.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.259] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 1 [0049.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.259] lstrlenW (lpString=".doc") returned 4 [0049.259] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.259] lstrlenW (lpString=".docx") returned 5 [0049.259] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.259] lstrlenW (lpString=".pdf") returned 4 [0049.259] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.259] lstrlenW (lpString=".xls") returned 4 [0049.259] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.259] lstrlenW (lpString=".xlsx") returned 5 [0049.259] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.259] lstrlenW (lpString=".ppt") returned 4 [0049.259] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.259] lstrlenW (lpString=".zip") returned 4 [0049.259] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.259] lstrlenW (lpString=".rar") returned 4 [0049.259] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.259] lstrlenW (lpString=".bz2") returned 4 [0049.259] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.259] lstrlenW (lpString=".7z") returned 3 [0049.260] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.260] lstrlenW (lpString=".dbf") returned 4 [0049.260] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.260] lstrlenW (lpString=".1cd") returned 4 [0049.260] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.260] lstrlenW (lpString=".jpg") returned 4 [0049.260] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.260] lstrlenW (lpString=".doc") returned 4 [0049.260] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.260] lstrlenW (lpString=".docx") returned 5 [0049.260] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.260] lstrlenW (lpString=".pdf") returned 4 [0049.260] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.260] lstrlenW (lpString=".xls") returned 4 [0049.260] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.260] lstrlenW (lpString=".xlsx") returned 5 [0049.260] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.260] lstrlenW (lpString=".ppt") returned 4 [0049.260] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.260] lstrlenW (lpString=".zip") returned 4 [0049.260] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.260] lstrlenW (lpString=".rar") returned 4 [0049.260] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.260] lstrlenW (lpString=".bz2") returned 4 [0049.260] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.260] lstrlenW (lpString=".7z") returned 3 [0049.260] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.260] lstrlenW (lpString=".dbf") returned 4 [0049.260] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.261] lstrlenW (lpString=".1cd") returned 4 [0049.261] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0049.261] lstrlenW (lpString=".jpg") returned 4 [0049.261] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.261] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0049.261] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0049.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.262] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2722) returned 1 [0049.262] CloseHandle (hObject=0x20c) returned 1 [0049.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 0x20 [0049.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.263] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.263] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0049.420] GetLastError () returned 0x0 [0049.420] ReadFile (in: hFile=0x20c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0xaa2, lpOverlapped=0x0) returned 1 [0049.424] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0049.425] ReadFile (in: hFile=0x20c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.425] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.425] SetEndOfFile (hFile=0x188) returned 1 [0049.425] CloseHandle (hObject=0x188) returned 1 [0049.425] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.426] SetEndOfFile (hFile=0x20c) returned 1 [0049.426] CloseHandle (hObject=0x20c) returned 1 [0049.426] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.427] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 1 [0049.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.427] lstrlenW (lpString=".doc") returned 4 [0049.427] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.427] lstrlenW (lpString=".docx") returned 5 [0049.427] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.427] lstrlenW (lpString=".pdf") returned 4 [0049.427] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.427] lstrlenW (lpString=".xls") returned 4 [0049.427] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.428] lstrlenW (lpString=".xlsx") returned 5 [0049.428] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.428] lstrlenW (lpString=".ppt") returned 4 [0049.428] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.428] lstrlenW (lpString=".zip") returned 4 [0049.428] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.428] lstrlenW (lpString=".rar") returned 4 [0049.428] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.428] lstrlenW (lpString=".bz2") returned 4 [0049.428] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.428] lstrlenW (lpString=".7z") returned 3 [0049.428] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.428] lstrlenW (lpString=".dbf") returned 4 [0049.428] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.428] lstrlenW (lpString=".1cd") returned 4 [0049.428] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.428] lstrlenW (lpString=".jpg") returned 4 [0049.428] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.428] lstrlenW (lpString=".doc") returned 4 [0049.429] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.429] lstrlenW (lpString=".docx") returned 5 [0049.429] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.429] lstrlenW (lpString=".pdf") returned 4 [0049.429] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.429] lstrlenW (lpString=".xls") returned 4 [0049.429] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.429] lstrlenW (lpString=".xlsx") returned 5 [0049.429] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.429] lstrlenW (lpString=".ppt") returned 4 [0049.429] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.429] lstrlenW (lpString=".zip") returned 4 [0049.429] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.429] lstrlenW (lpString=".rar") returned 4 [0049.429] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.429] lstrlenW (lpString=".bz2") returned 4 [0049.429] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.429] lstrlenW (lpString=".7z") returned 3 [0049.429] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.429] lstrlenW (lpString=".dbf") returned 4 [0049.429] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.429] lstrlenW (lpString=".1cd") returned 4 [0049.429] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0049.429] lstrlenW (lpString=".jpg") returned 4 [0049.429] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.942] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0049.942] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.942] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.961] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=20575) returned 1 [0049.961] CloseHandle (hObject=0x210) returned 1 [0049.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 0x20 [0049.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0049.974] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.974] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.985] GetLastError () returned 0x0 [0049.985] ReadFile (in: hFile=0x1ec, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x505f, lpOverlapped=0x0) returned 1 [0049.991] WriteFile (in: hFile=0x204, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x5060, lpOverlapped=0x0) returned 1 [0049.993] ReadFile (in: hFile=0x1ec, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.993] WriteFile (in: hFile=0x204, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.993] SetEndOfFile (hFile=0x204) returned 1 [0049.993] CloseHandle (hObject=0x204) returned 1 [0049.993] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.994] SetEndOfFile (hFile=0x1ec) returned 1 [0049.994] CloseHandle (hObject=0x1ec) returned 1 [0049.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0049.995] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0049.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.995] lstrlenW (lpString=".doc") returned 4 [0049.995] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.995] lstrlenW (lpString=".docx") returned 5 [0049.995] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.995] lstrlenW (lpString=".pdf") returned 4 [0049.995] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.995] lstrlenW (lpString=".xls") returned 4 [0049.995] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.995] lstrlenW (lpString=".xlsx") returned 5 [0049.995] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.995] lstrlenW (lpString=".ppt") returned 4 [0049.995] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.995] lstrlenW (lpString=".zip") returned 4 [0049.995] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.996] lstrlenW (lpString=".rar") returned 4 [0049.996] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.996] lstrlenW (lpString=".bz2") returned 4 [0049.996] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.996] lstrlenW (lpString=".7z") returned 3 [0049.996] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.996] lstrlenW (lpString=".dbf") returned 4 [0049.996] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.996] lstrlenW (lpString=".1cd") returned 4 [0049.996] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.996] lstrlenW (lpString=".jpg") returned 4 [0049.996] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.996] lstrlenW (lpString=".doc") returned 4 [0049.996] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.996] lstrlenW (lpString=".docx") returned 5 [0049.996] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.996] lstrlenW (lpString=".pdf") returned 4 [0049.996] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.996] lstrlenW (lpString=".xls") returned 4 [0049.996] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.996] lstrlenW (lpString=".xlsx") returned 5 [0049.996] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.997] lstrlenW (lpString=".ppt") returned 4 [0049.997] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.997] lstrlenW (lpString=".zip") returned 4 [0049.997] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.997] lstrlenW (lpString=".rar") returned 4 [0049.997] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.997] lstrlenW (lpString=".bz2") returned 4 [0049.997] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.997] lstrlenW (lpString=".7z") returned 3 [0049.997] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.997] lstrlenW (lpString=".dbf") returned 4 [0049.997] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.997] lstrlenW (lpString=".1cd") returned 4 [0049.997] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0049.997] lstrlenW (lpString=".jpg") returned 4 [0049.997] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.997] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0049.997] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.004] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=25106) returned 1 [0050.004] CloseHandle (hObject=0x204) returned 1 [0050.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 0x20 [0050.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.007] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.007] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0050.020] GetLastError () returned 0x0 [0050.020] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x6212, lpOverlapped=0x0) returned 1 [0050.032] WriteFile (in: hFile=0x1ec, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x6220, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x6220, lpOverlapped=0x0) returned 1 [0050.033] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.033] WriteFile (in: hFile=0x1ec, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.033] SetEndOfFile (hFile=0x1ec) returned 1 [0050.034] CloseHandle (hObject=0x1ec) returned 1 [0050.034] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.034] SetEndOfFile (hFile=0x204) returned 1 [0050.035] CloseHandle (hObject=0x204) returned 1 [0050.035] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.035] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 1 [0050.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.036] lstrlenW (lpString=".doc") returned 4 [0050.036] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.036] lstrlenW (lpString=".docx") returned 5 [0050.036] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.036] lstrlenW (lpString=".pdf") returned 4 [0050.036] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.036] lstrlenW (lpString=".xls") returned 4 [0050.036] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.036] lstrlenW (lpString=".xlsx") returned 5 [0050.036] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.036] lstrlenW (lpString=".ppt") returned 4 [0050.036] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.036] lstrlenW (lpString=".zip") returned 4 [0050.036] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.036] lstrlenW (lpString=".rar") returned 4 [0050.036] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.036] lstrlenW (lpString=".bz2") returned 4 [0050.036] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.036] lstrlenW (lpString=".7z") returned 3 [0050.036] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.036] lstrlenW (lpString=".dbf") returned 4 [0050.036] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.036] lstrlenW (lpString=".1cd") returned 4 [0050.036] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.037] lstrlenW (lpString=".jpg") returned 4 [0050.037] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.037] lstrlenW (lpString=".doc") returned 4 [0050.037] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.037] lstrlenW (lpString=".docx") returned 5 [0050.037] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.037] lstrlenW (lpString=".pdf") returned 4 [0050.037] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.037] lstrlenW (lpString=".xls") returned 4 [0050.037] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.037] lstrlenW (lpString=".xlsx") returned 5 [0050.037] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.037] lstrlenW (lpString=".ppt") returned 4 [0050.037] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.037] lstrlenW (lpString=".zip") returned 4 [0050.037] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.037] lstrlenW (lpString=".rar") returned 4 [0050.037] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.037] lstrlenW (lpString=".bz2") returned 4 [0050.037] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.037] lstrlenW (lpString=".7z") returned 3 [0050.037] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.037] lstrlenW (lpString=".dbf") returned 4 [0050.037] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.037] lstrlenW (lpString=".1cd") returned 4 [0050.037] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0050.037] lstrlenW (lpString=".jpg") returned 4 [0050.037] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.038] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0050.038] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0050.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.038] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=32433) returned 1 [0050.038] CloseHandle (hObject=0x204) returned 1 [0050.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 0x20 [0050.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.039] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.039] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.039] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0050.039] GetLastError () returned 0x0 [0050.039] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x7eb1, lpOverlapped=0x0) returned 1 [0050.041] WriteFile (in: hFile=0x1ec, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x7ec0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x7ec0, lpOverlapped=0x0) returned 1 [0050.043] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.043] WriteFile (in: hFile=0x1ec, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.043] SetEndOfFile (hFile=0x1ec) returned 1 [0050.043] CloseHandle (hObject=0x1ec) returned 1 [0050.043] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.043] SetEndOfFile (hFile=0x204) returned 1 [0050.044] CloseHandle (hObject=0x204) returned 1 [0050.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.045] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 1 [0050.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.045] lstrlenW (lpString=".doc") returned 4 [0050.045] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.045] lstrlenW (lpString=".docx") returned 5 [0050.045] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.045] lstrlenW (lpString=".pdf") returned 4 [0050.045] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.045] lstrlenW (lpString=".xls") returned 4 [0050.045] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.045] lstrlenW (lpString=".xlsx") returned 5 [0050.045] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.045] lstrlenW (lpString=".ppt") returned 4 [0050.045] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.045] lstrlenW (lpString=".zip") returned 4 [0050.045] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.045] lstrlenW (lpString=".rar") returned 4 [0050.045] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.045] lstrlenW (lpString=".bz2") returned 4 [0050.045] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.045] lstrlenW (lpString=".7z") returned 3 [0050.046] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.046] lstrlenW (lpString=".dbf") returned 4 [0050.046] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.046] lstrlenW (lpString=".1cd") returned 4 [0050.046] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.046] lstrlenW (lpString=".jpg") returned 4 [0050.046] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.046] lstrlenW (lpString=".doc") returned 4 [0050.046] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.046] lstrlenW (lpString=".docx") returned 5 [0050.046] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.046] lstrlenW (lpString=".pdf") returned 4 [0050.046] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.046] lstrlenW (lpString=".xls") returned 4 [0050.046] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.046] lstrlenW (lpString=".xlsx") returned 5 [0050.046] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.046] lstrlenW (lpString=".ppt") returned 4 [0050.046] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.046] lstrlenW (lpString=".zip") returned 4 [0050.046] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.046] lstrlenW (lpString=".rar") returned 4 [0050.046] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.046] lstrlenW (lpString=".bz2") returned 4 [0050.046] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.046] lstrlenW (lpString=".7z") returned 3 [0050.046] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.046] lstrlenW (lpString=".dbf") returned 4 [0050.046] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.047] lstrlenW (lpString=".1cd") returned 4 [0050.047] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0050.047] lstrlenW (lpString=".jpg") returned 4 [0050.047] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.047] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0050.047] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0050.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.047] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=5120) returned 1 [0050.048] CloseHandle (hObject=0x204) returned 1 [0050.048] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 0x20 [0050.048] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.048] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.048] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0050.918] GetLastError () returned 0x0 [0050.919] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x1400, lpOverlapped=0x0) returned 1 [0050.921] WriteFile (in: hFile=0x1dc, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x1410, lpOverlapped=0x0) returned 1 [0050.922] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.922] WriteFile (in: hFile=0x1dc, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.922] SetEndOfFile (hFile=0x1dc) returned 1 [0050.922] CloseHandle (hObject=0x1dc) returned 1 [0050.922] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.922] SetEndOfFile (hFile=0x204) returned 1 [0050.923] CloseHandle (hObject=0x204) returned 1 [0050.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.924] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 1 [0050.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.924] lstrlenW (lpString=".doc") returned 4 [0050.924] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.924] lstrlenW (lpString=".docx") returned 5 [0050.924] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0050.924] lstrlenW (lpString=".pdf") returned 4 [0050.925] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.925] lstrlenW (lpString=".xls") returned 4 [0050.925] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.925] lstrlenW (lpString=".xlsx") returned 5 [0050.925] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0050.925] lstrlenW (lpString=".ppt") returned 4 [0050.925] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.925] lstrlenW (lpString=".zip") returned 4 [0050.925] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.925] lstrlenW (lpString=".rar") returned 4 [0050.925] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.925] lstrlenW (lpString=".bz2") returned 4 [0050.925] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.925] lstrlenW (lpString=".7z") returned 3 [0050.925] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.925] lstrlenW (lpString=".dbf") returned 4 [0050.925] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.925] lstrlenW (lpString=".1cd") returned 4 [0050.925] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.925] lstrlenW (lpString=".jpg") returned 4 [0050.925] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.925] lstrlenW (lpString=".doc") returned 4 [0050.925] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.925] lstrlenW (lpString=".docx") returned 5 [0050.926] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0050.926] lstrlenW (lpString=".pdf") returned 4 [0050.926] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.926] lstrlenW (lpString=".xls") returned 4 [0050.926] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.926] lstrlenW (lpString=".xlsx") returned 5 [0050.926] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0050.926] lstrlenW (lpString=".ppt") returned 4 [0050.926] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.926] lstrlenW (lpString=".zip") returned 4 [0050.926] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.926] lstrlenW (lpString=".rar") returned 4 [0050.926] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.926] lstrlenW (lpString=".bz2") returned 4 [0050.926] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.926] lstrlenW (lpString=".7z") returned 3 [0050.926] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.926] lstrlenW (lpString=".dbf") returned 4 [0050.926] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.926] lstrlenW (lpString=".1cd") returned 4 [0050.926] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0050.926] lstrlenW (lpString=".jpg") returned 4 [0050.926] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.927] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0050.927] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0050.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.928] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1232) returned 1 [0050.928] CloseHandle (hObject=0x204) returned 1 [0050.928] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 0x20 [0050.928] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.928] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.928] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.928] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.928] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0050.931] GetLastError () returned 0x0 [0050.932] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x4d0, lpOverlapped=0x0) returned 1 [0050.933] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x4e0, lpOverlapped=0x0) returned 1 [0050.934] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.934] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.934] SetEndOfFile (hFile=0x1f8) returned 1 [0050.935] CloseHandle (hObject=0x1f8) returned 1 [0050.935] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.935] SetEndOfFile (hFile=0x204) returned 1 [0050.936] CloseHandle (hObject=0x204) returned 1 [0050.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.936] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 1 [0050.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.937] lstrlenW (lpString=".doc") returned 4 [0050.937] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.937] lstrlenW (lpString=".docx") returned 5 [0050.937] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0050.937] lstrlenW (lpString=".pdf") returned 4 [0050.937] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.937] lstrlenW (lpString=".xls") returned 4 [0050.937] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.937] lstrlenW (lpString=".xlsx") returned 5 [0050.937] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0050.937] lstrlenW (lpString=".ppt") returned 4 [0050.937] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.937] lstrlenW (lpString=".zip") returned 4 [0050.937] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.937] lstrlenW (lpString=".rar") returned 4 [0050.937] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.937] lstrlenW (lpString=".bz2") returned 4 [0050.937] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.937] lstrlenW (lpString=".7z") returned 3 [0050.937] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.937] lstrlenW (lpString=".dbf") returned 4 [0050.937] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.937] lstrlenW (lpString=".1cd") returned 4 [0050.937] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.937] lstrlenW (lpString=".jpg") returned 4 [0050.937] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.938] lstrlenW (lpString=".doc") returned 4 [0050.938] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.938] lstrlenW (lpString=".docx") returned 5 [0050.938] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0050.938] lstrlenW (lpString=".pdf") returned 4 [0050.938] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.938] lstrlenW (lpString=".xls") returned 4 [0050.938] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.938] lstrlenW (lpString=".xlsx") returned 5 [0050.938] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0050.938] lstrlenW (lpString=".ppt") returned 4 [0050.938] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.938] lstrlenW (lpString=".zip") returned 4 [0050.938] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.938] lstrlenW (lpString=".rar") returned 4 [0050.938] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.938] lstrlenW (lpString=".bz2") returned 4 [0050.938] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.938] lstrlenW (lpString=".7z") returned 3 [0050.938] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.938] lstrlenW (lpString=".dbf") returned 4 [0050.938] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.938] lstrlenW (lpString=".1cd") returned 4 [0050.938] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0050.939] lstrlenW (lpString=".jpg") returned 4 [0050.939] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.939] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0050.939] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0050.939] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.939] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=18413) returned 1 [0050.939] CloseHandle (hObject=0x204) returned 1 [0050.939] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 0x20 [0050.939] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.940] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.940] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0050.940] GetLastError () returned 0x0 [0050.940] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x47ed, lpOverlapped=0x0) returned 1 [0050.943] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x47f0, lpOverlapped=0x0) returned 1 [0050.944] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.944] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.944] SetEndOfFile (hFile=0x1f8) returned 1 [0050.944] CloseHandle (hObject=0x1f8) returned 1 [0050.945] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.945] SetEndOfFile (hFile=0x204) returned 1 [0050.946] CloseHandle (hObject=0x204) returned 1 [0050.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0050.946] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 1 [0050.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.947] lstrlenW (lpString=".doc") returned 4 [0050.947] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.947] lstrlenW (lpString=".docx") returned 5 [0050.947] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.947] lstrlenW (lpString=".pdf") returned 4 [0050.947] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.947] lstrlenW (lpString=".xls") returned 4 [0050.947] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.947] lstrlenW (lpString=".xlsx") returned 5 [0050.947] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.947] lstrlenW (lpString=".ppt") returned 4 [0050.947] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.947] lstrlenW (lpString=".zip") returned 4 [0050.947] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.947] lstrlenW (lpString=".rar") returned 4 [0050.947] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.947] lstrlenW (lpString=".bz2") returned 4 [0050.947] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.947] lstrlenW (lpString=".7z") returned 3 [0050.947] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.947] lstrlenW (lpString=".dbf") returned 4 [0050.947] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.947] lstrlenW (lpString=".1cd") returned 4 [0050.947] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.948] lstrlenW (lpString=".jpg") returned 4 [0050.948] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.948] lstrlenW (lpString=".doc") returned 4 [0050.948] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0050.948] lstrlenW (lpString=".docx") returned 5 [0050.948] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0050.948] lstrlenW (lpString=".pdf") returned 4 [0050.948] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0050.948] lstrlenW (lpString=".xls") returned 4 [0050.948] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0050.948] lstrlenW (lpString=".xlsx") returned 5 [0050.948] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0050.948] lstrlenW (lpString=".ppt") returned 4 [0050.948] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0050.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.948] lstrlenW (lpString=".zip") returned 4 [0050.948] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0050.948] lstrlenW (lpString=".rar") returned 4 [0050.948] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0050.948] lstrlenW (lpString=".bz2") returned 4 [0050.948] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0050.948] lstrlenW (lpString=".7z") returned 3 [0050.948] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0050.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.948] lstrlenW (lpString=".dbf") returned 4 [0050.948] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0050.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.948] lstrlenW (lpString=".1cd") returned 4 [0050.948] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0050.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0050.948] lstrlenW (lpString=".jpg") returned 4 [0050.948] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0050.949] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0050.949] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0050.949] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.949] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1659) returned 1 [0050.949] CloseHandle (hObject=0x204) returned 1 [0050.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 0x20 [0050.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0050.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.950] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.950] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.143] GetLastError () returned 0x0 [0051.143] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x67b, lpOverlapped=0x0) returned 1 [0051.206] WriteFile (in: hFile=0x21c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x680, lpOverlapped=0x0) returned 1 [0051.208] ReadFile (in: hFile=0x204, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.208] WriteFile (in: hFile=0x21c, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.208] SetEndOfFile (hFile=0x21c) returned 1 [0051.208] CloseHandle (hObject=0x21c) returned 1 [0051.208] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.209] SetEndOfFile (hFile=0x204) returned 1 [0051.210] CloseHandle (hObject=0x204) returned 1 [0051.210] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.210] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 1 [0051.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.211] lstrlenW (lpString=".doc") returned 4 [0051.211] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.211] lstrlenW (lpString=".docx") returned 5 [0051.211] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.211] lstrlenW (lpString=".pdf") returned 4 [0051.211] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.211] lstrlenW (lpString=".xls") returned 4 [0051.211] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.211] lstrlenW (lpString=".xlsx") returned 5 [0051.211] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.211] lstrlenW (lpString=".ppt") returned 4 [0051.211] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.211] lstrlenW (lpString=".zip") returned 4 [0051.211] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.211] lstrlenW (lpString=".rar") returned 4 [0051.211] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.211] lstrlenW (lpString=".bz2") returned 4 [0051.211] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.211] lstrlenW (lpString=".7z") returned 3 [0051.211] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.212] lstrlenW (lpString=".dbf") returned 4 [0051.212] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.212] lstrlenW (lpString=".1cd") returned 4 [0051.212] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.212] lstrlenW (lpString=".jpg") returned 4 [0051.212] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.212] lstrlenW (lpString=".doc") returned 4 [0051.212] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.212] lstrlenW (lpString=".docx") returned 5 [0051.212] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.212] lstrlenW (lpString=".pdf") returned 4 [0051.212] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.212] lstrlenW (lpString=".xls") returned 4 [0051.212] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.212] lstrlenW (lpString=".xlsx") returned 5 [0051.212] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.212] lstrlenW (lpString=".ppt") returned 4 [0051.212] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.212] lstrlenW (lpString=".zip") returned 4 [0051.212] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.213] lstrlenW (lpString=".rar") returned 4 [0051.213] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.213] lstrlenW (lpString=".bz2") returned 4 [0051.213] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.213] lstrlenW (lpString=".7z") returned 3 [0051.213] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.213] lstrlenW (lpString=".dbf") returned 4 [0051.213] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.213] lstrlenW (lpString=".1cd") returned 4 [0051.213] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0051.213] lstrlenW (lpString=".jpg") returned 4 [0051.213] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.213] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.213] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.407] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=37440) returned 1 [0051.407] CloseHandle (hObject=0x1f8) returned 1 [0051.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 0x20 [0051.408] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.408] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.408] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.408] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.408] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0051.408] GetLastError () returned 0x0 [0051.408] ReadFile (in: hFile=0x1f8, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x9240, lpOverlapped=0x0) returned 1 [0051.411] WriteFile (in: hFile=0x214, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x9250, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x9250, lpOverlapped=0x0) returned 1 [0051.413] ReadFile (in: hFile=0x1f8, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.413] WriteFile (in: hFile=0x214, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.414] SetEndOfFile (hFile=0x214) returned 1 [0051.414] CloseHandle (hObject=0x214) returned 1 [0051.414] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.414] SetEndOfFile (hFile=0x1f8) returned 1 [0051.415] CloseHandle (hObject=0x1f8) returned 1 [0051.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.415] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 1 [0051.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.416] lstrlenW (lpString=".doc") returned 4 [0051.416] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.416] lstrlenW (lpString=".docx") returned 5 [0051.416] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.416] lstrlenW (lpString=".pdf") returned 4 [0051.416] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.416] lstrlenW (lpString=".xls") returned 4 [0051.416] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.416] lstrlenW (lpString=".xlsx") returned 5 [0051.416] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.416] lstrlenW (lpString=".ppt") returned 4 [0051.416] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.416] lstrlenW (lpString=".zip") returned 4 [0051.416] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.416] lstrlenW (lpString=".rar") returned 4 [0051.416] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.416] lstrlenW (lpString=".bz2") returned 4 [0051.416] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.416] lstrlenW (lpString=".7z") returned 3 [0051.416] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.416] lstrlenW (lpString=".dbf") returned 4 [0051.416] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.416] lstrlenW (lpString=".1cd") returned 4 [0051.416] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.416] lstrlenW (lpString=".jpg") returned 4 [0051.416] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.417] lstrlenW (lpString=".doc") returned 4 [0051.417] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.417] lstrlenW (lpString=".docx") returned 5 [0051.417] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.417] lstrlenW (lpString=".pdf") returned 4 [0051.417] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.417] lstrlenW (lpString=".xls") returned 4 [0051.417] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.417] lstrlenW (lpString=".xlsx") returned 5 [0051.417] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.417] lstrlenW (lpString=".ppt") returned 4 [0051.417] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.417] lstrlenW (lpString=".zip") returned 4 [0051.417] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.417] lstrlenW (lpString=".rar") returned 4 [0051.417] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.417] lstrlenW (lpString=".bz2") returned 4 [0051.417] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.417] lstrlenW (lpString=".7z") returned 3 [0051.417] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.417] lstrlenW (lpString=".dbf") returned 4 [0051.417] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.417] lstrlenW (lpString=".1cd") returned 4 [0051.417] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0051.417] lstrlenW (lpString=".jpg") returned 4 [0051.417] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.418] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0051.418] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0051.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.418] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1593) returned 1 [0051.418] CloseHandle (hObject=0x1f8) returned 1 [0051.418] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 0x20 [0051.418] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.418] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.419] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0051.421] GetLastError () returned 0x0 [0051.421] ReadFile (in: hFile=0x1f8, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x639, lpOverlapped=0x0) returned 1 [0051.424] WriteFile (in: hFile=0x214, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x640, lpOverlapped=0x0) returned 1 [0051.425] ReadFile (in: hFile=0x1f8, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.425] WriteFile (in: hFile=0x214, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.425] SetEndOfFile (hFile=0x214) returned 1 [0051.425] CloseHandle (hObject=0x214) returned 1 [0051.425] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.425] SetEndOfFile (hFile=0x1f8) returned 1 [0051.426] CloseHandle (hObject=0x1f8) returned 1 [0051.426] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.427] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 1 [0051.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.427] lstrlenW (lpString=".doc") returned 4 [0051.427] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.427] lstrlenW (lpString=".docx") returned 5 [0051.427] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.427] lstrlenW (lpString=".pdf") returned 4 [0051.427] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.427] lstrlenW (lpString=".xls") returned 4 [0051.427] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.427] lstrlenW (lpString=".xlsx") returned 5 [0051.427] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.427] lstrlenW (lpString=".ppt") returned 4 [0051.427] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.427] lstrlenW (lpString=".zip") returned 4 [0051.427] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.427] lstrlenW (lpString=".rar") returned 4 [0051.427] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.427] lstrlenW (lpString=".bz2") returned 4 [0051.427] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.427] lstrlenW (lpString=".7z") returned 3 [0051.427] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.428] lstrlenW (lpString=".dbf") returned 4 [0051.428] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.428] lstrlenW (lpString=".1cd") returned 4 [0051.428] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.428] lstrlenW (lpString=".jpg") returned 4 [0051.428] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.428] lstrlenW (lpString=".doc") returned 4 [0051.428] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.428] lstrlenW (lpString=".docx") returned 5 [0051.428] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0051.428] lstrlenW (lpString=".pdf") returned 4 [0051.428] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.428] lstrlenW (lpString=".xls") returned 4 [0051.428] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.428] lstrlenW (lpString=".xlsx") returned 5 [0051.428] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0051.428] lstrlenW (lpString=".ppt") returned 4 [0051.428] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.428] lstrlenW (lpString=".zip") returned 4 [0051.428] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.428] lstrlenW (lpString=".rar") returned 4 [0051.428] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.428] lstrlenW (lpString=".bz2") returned 4 [0051.428] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.428] lstrlenW (lpString=".7z") returned 3 [0051.428] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.428] lstrlenW (lpString=".dbf") returned 4 [0051.428] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.429] lstrlenW (lpString=".1cd") returned 4 [0051.429] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0051.429] lstrlenW (lpString=".jpg") returned 4 [0051.429] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.429] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.429] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.429] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0051.432] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=21745) returned 1 [0051.432] CloseHandle (hObject=0x224) returned 1 [0051.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 0x20 [0051.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0051.433] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.433] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.433] GetLastError () returned 0x0 [0051.433] ReadFile (in: hFile=0x224, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x54f1, lpOverlapped=0x0) returned 1 [0051.437] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x5500, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x5500, lpOverlapped=0x0) returned 1 [0051.438] ReadFile (in: hFile=0x224, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.439] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.439] SetEndOfFile (hFile=0x1f8) returned 1 [0051.439] CloseHandle (hObject=0x1f8) returned 1 [0051.439] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.439] SetEndOfFile (hFile=0x224) returned 1 [0051.440] CloseHandle (hObject=0x224) returned 1 [0051.440] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.440] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 1 [0051.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.441] lstrlenW (lpString=".doc") returned 4 [0051.441] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.441] lstrlenW (lpString=".docx") returned 5 [0051.441] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.441] lstrlenW (lpString=".pdf") returned 4 [0051.441] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.441] lstrlenW (lpString=".xls") returned 4 [0051.441] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.441] lstrlenW (lpString=".xlsx") returned 5 [0051.441] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.441] lstrlenW (lpString=".ppt") returned 4 [0051.441] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.441] lstrlenW (lpString=".zip") returned 4 [0051.441] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.441] lstrlenW (lpString=".rar") returned 4 [0051.441] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.441] lstrlenW (lpString=".bz2") returned 4 [0051.441] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.441] lstrlenW (lpString=".7z") returned 3 [0051.441] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.441] lstrlenW (lpString=".dbf") returned 4 [0051.441] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.441] lstrlenW (lpString=".1cd") returned 4 [0051.441] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.442] lstrlenW (lpString=".jpg") returned 4 [0051.442] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.442] lstrlenW (lpString=".doc") returned 4 [0051.442] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.442] lstrlenW (lpString=".docx") returned 5 [0051.442] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.442] lstrlenW (lpString=".pdf") returned 4 [0051.442] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.442] lstrlenW (lpString=".xls") returned 4 [0051.442] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.442] lstrlenW (lpString=".xlsx") returned 5 [0051.442] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.442] lstrlenW (lpString=".ppt") returned 4 [0051.442] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.442] lstrlenW (lpString=".zip") returned 4 [0051.442] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.442] lstrlenW (lpString=".rar") returned 4 [0051.442] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.442] lstrlenW (lpString=".bz2") returned 4 [0051.442] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.442] lstrlenW (lpString=".7z") returned 3 [0051.442] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.442] lstrlenW (lpString=".dbf") returned 4 [0051.442] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.442] lstrlenW (lpString=".1cd") returned 4 [0051.442] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0051.442] lstrlenW (lpString=".jpg") returned 4 [0051.442] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.443] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0051.443] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0051.443] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0051.443] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=16738) returned 1 [0051.443] CloseHandle (hObject=0x224) returned 1 [0051.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 0x20 [0051.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.444] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0051.444] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.444] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.444] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.444] GetLastError () returned 0x0 [0051.444] ReadFile (in: hFile=0x224, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x4162, lpOverlapped=0x0) returned 1 [0051.696] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x4170, lpOverlapped=0x0) returned 1 [0051.697] ReadFile (in: hFile=0x224, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.697] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.697] SetEndOfFile (hFile=0x1f8) returned 1 [0051.697] CloseHandle (hObject=0x1f8) returned 1 [0051.698] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.698] SetEndOfFile (hFile=0x224) returned 1 [0051.698] CloseHandle (hObject=0x224) returned 1 [0051.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0051.699] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 1 [0051.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.699] lstrlenW (lpString=".doc") returned 4 [0051.699] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.699] lstrlenW (lpString=".docx") returned 5 [0051.699] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.699] lstrlenW (lpString=".pdf") returned 4 [0051.699] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.699] lstrlenW (lpString=".xls") returned 4 [0051.699] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.699] lstrlenW (lpString=".xlsx") returned 5 [0051.699] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.699] lstrlenW (lpString=".ppt") returned 4 [0051.699] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.699] lstrlenW (lpString=".zip") returned 4 [0051.699] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.699] lstrlenW (lpString=".rar") returned 4 [0051.699] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.699] lstrlenW (lpString=".bz2") returned 4 [0051.700] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.700] lstrlenW (lpString=".7z") returned 3 [0051.700] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.700] lstrlenW (lpString=".dbf") returned 4 [0051.700] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.700] lstrlenW (lpString=".1cd") returned 4 [0051.700] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.700] lstrlenW (lpString=".jpg") returned 4 [0051.700] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.700] lstrlenW (lpString=".doc") returned 4 [0051.700] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0051.700] lstrlenW (lpString=".docx") returned 5 [0051.700] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0051.700] lstrlenW (lpString=".pdf") returned 4 [0051.700] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0051.700] lstrlenW (lpString=".xls") returned 4 [0051.700] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0051.700] lstrlenW (lpString=".xlsx") returned 5 [0051.700] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0051.700] lstrlenW (lpString=".ppt") returned 4 [0051.700] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0051.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.700] lstrlenW (lpString=".zip") returned 4 [0051.700] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0051.700] lstrlenW (lpString=".rar") returned 4 [0051.700] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0051.700] lstrlenW (lpString=".bz2") returned 4 [0051.700] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0051.700] lstrlenW (lpString=".7z") returned 3 [0051.701] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0051.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.701] lstrlenW (lpString=".dbf") returned 4 [0051.701] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0051.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.701] lstrlenW (lpString=".1cd") returned 4 [0051.701] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0051.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0051.716] lstrlenW (lpString=".jpg") returned 4 [0051.716] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0051.717] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0051.717] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0051.717] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0051.717] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=4100) returned 1 [0051.717] CloseHandle (hObject=0x224) returned 1 [0051.717] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 0x20 [0051.717] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0051.718] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.718] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0052.055] GetLastError () returned 0x0 [0052.055] ReadFile (in: hFile=0x224, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x1004, lpOverlapped=0x0) returned 1 [0052.073] WriteFile (in: hFile=0x1c4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x1010, lpOverlapped=0x0) returned 1 [0052.074] ReadFile (in: hFile=0x224, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.074] WriteFile (in: hFile=0x1c4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.074] SetEndOfFile (hFile=0x1c4) returned 1 [0052.075] CloseHandle (hObject=0x1c4) returned 1 [0052.075] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.075] SetEndOfFile (hFile=0x224) returned 1 [0052.076] CloseHandle (hObject=0x224) returned 1 [0052.076] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0052.076] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 1 [0052.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.076] lstrlenW (lpString=".doc") returned 4 [0052.076] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.076] lstrlenW (lpString=".docx") returned 5 [0052.076] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0052.076] lstrlenW (lpString=".pdf") returned 4 [0052.076] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.076] lstrlenW (lpString=".xls") returned 4 [0052.076] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.076] lstrlenW (lpString=".xlsx") returned 5 [0052.076] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0052.076] lstrlenW (lpString=".ppt") returned 4 [0052.076] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.077] lstrlenW (lpString=".zip") returned 4 [0052.077] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.077] lstrlenW (lpString=".rar") returned 4 [0052.077] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.077] lstrlenW (lpString=".bz2") returned 4 [0052.077] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.077] lstrlenW (lpString=".7z") returned 3 [0052.077] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.077] lstrlenW (lpString=".dbf") returned 4 [0052.077] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.077] lstrlenW (lpString=".1cd") returned 4 [0052.077] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.077] lstrlenW (lpString=".jpg") returned 4 [0052.077] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.077] lstrlenW (lpString=".doc") returned 4 [0052.077] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.077] lstrlenW (lpString=".docx") returned 5 [0052.077] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0052.077] lstrlenW (lpString=".pdf") returned 4 [0052.077] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.077] lstrlenW (lpString=".xls") returned 4 [0052.077] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.077] lstrlenW (lpString=".xlsx") returned 5 [0052.077] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0052.077] lstrlenW (lpString=".ppt") returned 4 [0052.077] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.077] lstrlenW (lpString=".zip") returned 4 [0052.077] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.078] lstrlenW (lpString=".rar") returned 4 [0052.078] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.078] lstrlenW (lpString=".bz2") returned 4 [0052.078] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.078] lstrlenW (lpString=".7z") returned 3 [0052.078] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.078] lstrlenW (lpString=".dbf") returned 4 [0052.078] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.078] lstrlenW (lpString=".1cd") returned 4 [0052.078] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0052.078] lstrlenW (lpString=".jpg") returned 4 [0052.078] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.078] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0052.078] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0052.078] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.319] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1009) returned 1 [0052.319] CloseHandle (hObject=0x214) returned 1 [0052.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 0x20 [0052.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.320] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.320] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.320] GetLastError () returned 0x0 [0052.320] ReadFile (in: hFile=0x214, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x3f1, lpOverlapped=0x0) returned 1 [0052.322] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x400, lpOverlapped=0x0) returned 1 [0052.323] ReadFile (in: hFile=0x214, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.323] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.323] SetEndOfFile (hFile=0x1f8) returned 1 [0052.323] CloseHandle (hObject=0x1f8) returned 1 [0052.323] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.323] SetEndOfFile (hFile=0x214) returned 1 [0052.324] CloseHandle (hObject=0x214) returned 1 [0052.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0052.324] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 1 [0052.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.325] lstrlenW (lpString=".doc") returned 4 [0052.325] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.325] lstrlenW (lpString=".docx") returned 5 [0052.325] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0052.325] lstrlenW (lpString=".pdf") returned 4 [0052.325] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.325] lstrlenW (lpString=".xls") returned 4 [0052.325] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.325] lstrlenW (lpString=".xlsx") returned 5 [0052.325] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0052.325] lstrlenW (lpString=".ppt") returned 4 [0052.325] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.325] lstrlenW (lpString=".zip") returned 4 [0052.325] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.325] lstrlenW (lpString=".rar") returned 4 [0052.325] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.325] lstrlenW (lpString=".bz2") returned 4 [0052.325] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.325] lstrlenW (lpString=".7z") returned 3 [0052.325] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.325] lstrlenW (lpString=".dbf") returned 4 [0052.325] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.325] lstrlenW (lpString=".1cd") returned 4 [0052.325] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.325] lstrlenW (lpString=".jpg") returned 4 [0052.325] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.326] lstrlenW (lpString=".doc") returned 4 [0052.326] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.326] lstrlenW (lpString=".docx") returned 5 [0052.326] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0052.326] lstrlenW (lpString=".pdf") returned 4 [0052.326] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.326] lstrlenW (lpString=".xls") returned 4 [0052.326] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.326] lstrlenW (lpString=".xlsx") returned 5 [0052.326] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0052.326] lstrlenW (lpString=".ppt") returned 4 [0052.326] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.326] lstrlenW (lpString=".zip") returned 4 [0052.326] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.326] lstrlenW (lpString=".rar") returned 4 [0052.326] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.326] lstrlenW (lpString=".bz2") returned 4 [0052.326] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.326] lstrlenW (lpString=".7z") returned 3 [0052.326] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.326] lstrlenW (lpString=".dbf") returned 4 [0052.326] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.326] lstrlenW (lpString=".1cd") returned 4 [0052.326] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0052.326] lstrlenW (lpString=".jpg") returned 4 [0052.326] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.326] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0052.327] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0052.327] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.327] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=33479) returned 1 [0052.327] CloseHandle (hObject=0x214) returned 1 [0052.327] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 0x20 [0052.327] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.327] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.327] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.327] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.327] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.328] GetLastError () returned 0x0 [0052.328] ReadFile (in: hFile=0x214, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x82c7, lpOverlapped=0x0) returned 1 [0052.330] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x82d0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x82d0, lpOverlapped=0x0) returned 1 [0052.332] ReadFile (in: hFile=0x214, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.332] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.332] SetEndOfFile (hFile=0x1f8) returned 1 [0052.332] CloseHandle (hObject=0x1f8) returned 1 [0052.332] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.332] SetEndOfFile (hFile=0x214) returned 1 [0052.333] CloseHandle (hObject=0x214) returned 1 [0052.333] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0052.333] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 1 [0052.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.334] lstrlenW (lpString=".doc") returned 4 [0052.334] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0052.334] lstrlenW (lpString=".docx") returned 5 [0052.334] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0052.334] lstrlenW (lpString=".pdf") returned 4 [0052.334] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0052.334] lstrlenW (lpString=".xls") returned 4 [0052.334] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0052.334] lstrlenW (lpString=".xlsx") returned 5 [0052.334] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0052.334] lstrlenW (lpString=".ppt") returned 4 [0052.334] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0052.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.334] lstrlenW (lpString=".zip") returned 4 [0052.334] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0052.334] lstrlenW (lpString=".rar") returned 4 [0052.334] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0052.334] lstrlenW (lpString=".bz2") returned 4 [0052.334] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0052.334] lstrlenW (lpString=".7z") returned 3 [0052.334] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0052.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.334] lstrlenW (lpString=".dbf") returned 4 [0052.334] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0052.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.334] lstrlenW (lpString=".1cd") returned 4 [0052.334] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0052.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.334] lstrlenW (lpString=".jpg") returned 4 [0052.334] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0052.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.334] lstrlenW (lpString=".doc") returned 4 [0052.335] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0052.335] lstrlenW (lpString=".docx") returned 5 [0052.335] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0052.335] lstrlenW (lpString=".pdf") returned 4 [0052.335] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0052.335] lstrlenW (lpString=".xls") returned 4 [0052.335] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0052.335] lstrlenW (lpString=".xlsx") returned 5 [0052.335] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0052.335] lstrlenW (lpString=".ppt") returned 4 [0052.335] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0052.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.335] lstrlenW (lpString=".zip") returned 4 [0052.335] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0052.335] lstrlenW (lpString=".rar") returned 4 [0052.335] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0052.335] lstrlenW (lpString=".bz2") returned 4 [0052.335] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0052.335] lstrlenW (lpString=".7z") returned 3 [0052.335] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0052.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.335] lstrlenW (lpString=".dbf") returned 4 [0052.335] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0052.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.335] lstrlenW (lpString=".1cd") returned 4 [0052.335] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0052.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0052.335] lstrlenW (lpString=".jpg") returned 4 [0052.335] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0052.335] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0052.336] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0052.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.336] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1675) returned 1 [0052.336] CloseHandle (hObject=0x214) returned 1 [0052.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 0x20 [0052.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.336] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.336] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.339] GetLastError () returned 0x0 [0052.339] ReadFile (in: hFile=0x214, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x68b, lpOverlapped=0x0) returned 1 [0052.340] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x690, lpOverlapped=0x0) returned 1 [0052.341] ReadFile (in: hFile=0x214, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.341] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.342] SetEndOfFile (hFile=0x1f8) returned 1 [0052.342] CloseHandle (hObject=0x1f8) returned 1 [0052.342] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.342] SetEndOfFile (hFile=0x214) returned 1 [0052.343] CloseHandle (hObject=0x214) returned 1 [0052.343] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0052.343] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 1 [0052.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.343] lstrlenW (lpString=".doc") returned 4 [0052.343] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.343] lstrlenW (lpString=".docx") returned 5 [0052.343] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0052.343] lstrlenW (lpString=".pdf") returned 4 [0052.343] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.343] lstrlenW (lpString=".xls") returned 4 [0052.343] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.344] lstrlenW (lpString=".xlsx") returned 5 [0052.344] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0052.344] lstrlenW (lpString=".ppt") returned 4 [0052.344] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.344] lstrlenW (lpString=".zip") returned 4 [0052.344] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.344] lstrlenW (lpString=".rar") returned 4 [0052.344] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.344] lstrlenW (lpString=".bz2") returned 4 [0052.344] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.344] lstrlenW (lpString=".7z") returned 3 [0052.344] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.344] lstrlenW (lpString=".dbf") returned 4 [0052.344] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.344] lstrlenW (lpString=".1cd") returned 4 [0052.344] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.344] lstrlenW (lpString=".jpg") returned 4 [0052.344] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.344] lstrlenW (lpString=".doc") returned 4 [0052.344] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.344] lstrlenW (lpString=".docx") returned 5 [0052.344] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0052.344] lstrlenW (lpString=".pdf") returned 4 [0052.344] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.344] lstrlenW (lpString=".xls") returned 4 [0052.345] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.345] lstrlenW (lpString=".xlsx") returned 5 [0052.345] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0052.345] lstrlenW (lpString=".ppt") returned 4 [0052.345] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.345] lstrlenW (lpString=".zip") returned 4 [0052.345] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.345] lstrlenW (lpString=".rar") returned 4 [0052.345] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.345] lstrlenW (lpString=".bz2") returned 4 [0052.345] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.345] lstrlenW (lpString=".7z") returned 3 [0052.345] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.345] lstrlenW (lpString=".dbf") returned 4 [0052.345] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.345] lstrlenW (lpString=".1cd") returned 4 [0052.345] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0052.345] lstrlenW (lpString=".jpg") returned 4 [0052.345] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.345] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0052.346] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0052.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.346] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=18380) returned 1 [0052.346] CloseHandle (hObject=0x214) returned 1 [0052.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 0x20 [0052.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.346] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.346] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.347] GetLastError () returned 0x0 [0052.347] ReadFile (in: hFile=0x214, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x47cc, lpOverlapped=0x0) returned 1 [0052.637] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x47d0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x47d0, lpOverlapped=0x0) returned 1 [0052.638] ReadFile (in: hFile=0x214, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.638] WriteFile (in: hFile=0x1f8, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.638] SetEndOfFile (hFile=0x1f8) returned 1 [0052.638] CloseHandle (hObject=0x1f8) returned 1 [0052.639] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.639] SetEndOfFile (hFile=0x214) returned 1 [0052.640] CloseHandle (hObject=0x214) returned 1 [0052.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0052.640] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 1 [0052.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.640] lstrlenW (lpString=".doc") returned 4 [0052.640] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0052.640] lstrlenW (lpString=".docx") returned 5 [0052.640] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0052.640] lstrlenW (lpString=".pdf") returned 4 [0052.640] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0052.640] lstrlenW (lpString=".xls") returned 4 [0052.640] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0052.640] lstrlenW (lpString=".xlsx") returned 5 [0052.640] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0052.641] lstrlenW (lpString=".ppt") returned 4 [0052.641] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0052.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.641] lstrlenW (lpString=".zip") returned 4 [0052.641] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0052.641] lstrlenW (lpString=".rar") returned 4 [0052.641] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0052.641] lstrlenW (lpString=".bz2") returned 4 [0052.641] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0052.641] lstrlenW (lpString=".7z") returned 3 [0052.641] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0052.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.641] lstrlenW (lpString=".dbf") returned 4 [0052.641] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0052.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.641] lstrlenW (lpString=".1cd") returned 4 [0052.641] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0052.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.641] lstrlenW (lpString=".jpg") returned 4 [0052.641] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0052.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.641] lstrlenW (lpString=".doc") returned 4 [0052.641] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0052.641] lstrlenW (lpString=".docx") returned 5 [0052.641] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0052.641] lstrlenW (lpString=".pdf") returned 4 [0052.641] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0052.642] lstrlenW (lpString=".xls") returned 4 [0052.642] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0052.642] lstrlenW (lpString=".xlsx") returned 5 [0052.642] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0052.642] lstrlenW (lpString=".ppt") returned 4 [0052.642] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0052.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.642] lstrlenW (lpString=".zip") returned 4 [0052.642] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0052.642] lstrlenW (lpString=".rar") returned 4 [0052.642] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0052.642] lstrlenW (lpString=".bz2") returned 4 [0052.642] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0052.642] lstrlenW (lpString=".7z") returned 3 [0052.642] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0052.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.642] lstrlenW (lpString=".dbf") returned 4 [0052.642] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0052.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.642] lstrlenW (lpString=".1cd") returned 4 [0052.642] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0052.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0052.642] lstrlenW (lpString=".jpg") returned 4 [0052.642] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0052.642] lstrcmpiW (lpString1=".PNG", lpString2=".NcOv") returned 1 [0052.642] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0052.642] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0052.782] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=44302) returned 1 [0052.782] CloseHandle (hObject=0x1ec) returned 1 [0052.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 0x20 [0052.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0052.782] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.783] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.783] GetLastError () returned 0x0 [0052.783] ReadFile (in: hFile=0x1ec, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0xad0e, lpOverlapped=0x0) returned 1 [0052.905] WriteFile (in: hFile=0x1a0, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xad10, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xad10, lpOverlapped=0x0) returned 1 [0052.907] ReadFile (in: hFile=0x1ec, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.907] WriteFile (in: hFile=0x1a0, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.908] SetEndOfFile (hFile=0x1a0) returned 1 [0052.908] CloseHandle (hObject=0x1a0) returned 1 [0052.908] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.908] SetEndOfFile (hFile=0x1ec) returned 1 [0052.909] CloseHandle (hObject=0x1ec) returned 1 [0052.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0052.910] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 1 [0052.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.910] lstrlenW (lpString=".doc") returned 4 [0052.910] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0052.910] lstrlenW (lpString=".docx") returned 5 [0052.910] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0052.910] lstrlenW (lpString=".pdf") returned 4 [0052.910] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0052.910] lstrlenW (lpString=".xls") returned 4 [0052.910] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0052.910] lstrlenW (lpString=".xlsx") returned 5 [0052.911] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0052.911] lstrlenW (lpString=".ppt") returned 4 [0052.911] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0052.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.911] lstrlenW (lpString=".zip") returned 4 [0052.911] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0052.911] lstrlenW (lpString=".rar") returned 4 [0052.911] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0052.911] lstrlenW (lpString=".bz2") returned 4 [0052.911] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0052.911] lstrlenW (lpString=".7z") returned 3 [0052.911] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0052.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.911] lstrlenW (lpString=".dbf") returned 4 [0052.911] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0052.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.911] lstrlenW (lpString=".1cd") returned 4 [0052.911] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0052.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.911] lstrlenW (lpString=".jpg") returned 4 [0052.911] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0052.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.911] lstrlenW (lpString=".doc") returned 4 [0052.911] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0052.912] lstrlenW (lpString=".docx") returned 5 [0052.912] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0052.912] lstrlenW (lpString=".pdf") returned 4 [0052.912] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0052.912] lstrlenW (lpString=".xls") returned 4 [0052.912] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0052.912] lstrlenW (lpString=".xlsx") returned 5 [0052.912] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0052.912] lstrlenW (lpString=".ppt") returned 4 [0052.912] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0052.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.912] lstrlenW (lpString=".zip") returned 4 [0052.912] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0052.912] lstrlenW (lpString=".rar") returned 4 [0052.912] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0052.912] lstrlenW (lpString=".bz2") returned 4 [0052.912] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0052.912] lstrlenW (lpString=".7z") returned 3 [0052.912] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0052.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.912] lstrlenW (lpString=".dbf") returned 4 [0052.912] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0052.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.912] lstrlenW (lpString=".1cd") returned 4 [0052.912] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0052.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0052.912] lstrlenW (lpString=".jpg") returned 4 [0052.912] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0052.913] lstrcmpiW (lpString1=".CHM", lpString2=".NcOv") returned -1 [0052.913] lstrlenW (lpString="VBCN6.CHM") returned 9 [0052.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0052.913] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=109718) returned 1 [0052.913] CloseHandle (hObject=0x1ec) returned 1 [0052.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 0x20 [0052.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0052.914] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.914] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.914] GetLastError () returned 0x0 [0052.914] ReadFile (in: hFile=0x1ec, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x1ac96, lpOverlapped=0x0) returned 1 [0053.036] WriteFile (in: hFile=0x1a0, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x1aca0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x1aca0, lpOverlapped=0x0) returned 1 [0053.039] ReadFile (in: hFile=0x1ec, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.039] WriteFile (in: hFile=0x1a0, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.039] SetEndOfFile (hFile=0x1a0) returned 1 [0053.039] CloseHandle (hObject=0x1a0) returned 1 [0053.040] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.040] SetEndOfFile (hFile=0x1ec) returned 1 [0053.041] CloseHandle (hObject=0x1ec) returned 1 [0053.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0053.041] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 1 [0053.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.042] lstrlenW (lpString=".doc") returned 4 [0053.042] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0053.042] lstrlenW (lpString=".docx") returned 5 [0053.042] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0053.042] lstrlenW (lpString=".pdf") returned 4 [0053.042] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0053.042] lstrlenW (lpString=".xls") returned 4 [0053.042] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0053.042] lstrlenW (lpString=".xlsx") returned 5 [0053.042] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0053.042] lstrlenW (lpString=".ppt") returned 4 [0053.042] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0053.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.042] lstrlenW (lpString=".zip") returned 4 [0053.042] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0053.042] lstrlenW (lpString=".rar") returned 4 [0053.042] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0053.042] lstrlenW (lpString=".bz2") returned 4 [0053.042] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0053.042] lstrlenW (lpString=".7z") returned 3 [0053.042] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0053.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.042] lstrlenW (lpString=".dbf") returned 4 [0053.042] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0053.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.042] lstrlenW (lpString=".1cd") returned 4 [0053.042] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0053.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.043] lstrlenW (lpString=".jpg") returned 4 [0053.043] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0053.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.043] lstrlenW (lpString=".doc") returned 4 [0053.043] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0053.043] lstrlenW (lpString=".docx") returned 5 [0053.043] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0053.043] lstrlenW (lpString=".pdf") returned 4 [0053.043] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0053.043] lstrlenW (lpString=".xls") returned 4 [0053.043] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0053.043] lstrlenW (lpString=".xlsx") returned 5 [0053.043] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0053.043] lstrlenW (lpString=".ppt") returned 4 [0053.043] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0053.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.043] lstrlenW (lpString=".zip") returned 4 [0053.043] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0053.043] lstrlenW (lpString=".rar") returned 4 [0053.043] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0053.043] lstrlenW (lpString=".bz2") returned 4 [0053.043] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0053.043] lstrlenW (lpString=".7z") returned 3 [0053.043] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0053.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.043] lstrlenW (lpString=".dbf") returned 4 [0053.043] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0053.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.043] lstrlenW (lpString=".1cd") returned 4 [0053.043] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0053.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0053.043] lstrlenW (lpString=".jpg") returned 4 [0053.044] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0053.044] lstrcmpiW (lpString1=".CHM", lpString2=".NcOv") returned -1 [0053.044] lstrlenW (lpString="VBENDF98.CHM") returned 12 [0053.044] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.111] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=72031) returned 1 [0053.111] CloseHandle (hObject=0x1e8) returned 1 [0053.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 0x20 [0053.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.112] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.112] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.112] GetLastError () returned 0x0 [0053.112] ReadFile (in: hFile=0x1e8, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x1195f, lpOverlapped=0x0) returned 1 [0053.425] WriteFile (in: hFile=0x208, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x11960, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x11960, lpOverlapped=0x0) returned 1 [0053.427] ReadFile (in: hFile=0x1e8, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.427] WriteFile (in: hFile=0x208, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.427] SetEndOfFile (hFile=0x208) returned 1 [0053.427] CloseHandle (hObject=0x208) returned 1 [0053.428] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.428] SetEndOfFile (hFile=0x1e8) returned 1 [0053.429] CloseHandle (hObject=0x1e8) returned 1 [0053.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0053.429] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 1 [0053.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.429] lstrlenW (lpString=".doc") returned 4 [0053.429] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString=".docx") returned 5 [0053.430] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0053.430] lstrlenW (lpString=".pdf") returned 4 [0053.430] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString=".xls") returned 4 [0053.430] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString=".xlsx") returned 5 [0053.430] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0053.430] lstrlenW (lpString=".ppt") returned 4 [0053.430] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.430] lstrlenW (lpString=".zip") returned 4 [0053.430] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString=".rar") returned 4 [0053.430] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString=".bz2") returned 4 [0053.430] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0053.430] lstrlenW (lpString=".7z") returned 3 [0053.430] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.430] lstrlenW (lpString=".dbf") returned 4 [0053.430] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.430] lstrlenW (lpString=".1cd") returned 4 [0053.430] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.430] lstrlenW (lpString=".jpg") returned 4 [0053.430] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.430] lstrlenW (lpString=".doc") returned 4 [0053.430] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0053.430] lstrlenW (lpString=".docx") returned 5 [0053.431] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0053.431] lstrlenW (lpString=".pdf") returned 4 [0053.431] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0053.431] lstrlenW (lpString=".xls") returned 4 [0053.431] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0053.431] lstrlenW (lpString=".xlsx") returned 5 [0053.431] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0053.431] lstrlenW (lpString=".ppt") returned 4 [0053.431] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0053.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.431] lstrlenW (lpString=".zip") returned 4 [0053.431] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0053.431] lstrlenW (lpString=".rar") returned 4 [0053.431] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0053.431] lstrlenW (lpString=".bz2") returned 4 [0053.431] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0053.431] lstrlenW (lpString=".7z") returned 3 [0053.431] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0053.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.431] lstrlenW (lpString=".dbf") returned 4 [0053.431] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0053.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.431] lstrlenW (lpString=".1cd") returned 4 [0053.431] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0053.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0053.431] lstrlenW (lpString=".jpg") returned 4 [0053.431] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0053.431] lstrcmpiW (lpString1=".inc", lpString2=".NcOv") returned -1 [0053.431] lstrlenW (lpString="adcvbs.inc") returned 10 [0053.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.780] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=623) returned 1 [0053.780] CloseHandle (hObject=0x1e8) returned 1 [0053.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc")) returned 0x20 [0053.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.781] lstrlenW (lpString=".doc") returned 4 [0053.781] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.781] lstrlenW (lpString=".docx") returned 5 [0053.781] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.781] lstrlenW (lpString=".pdf") returned 4 [0053.781] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.781] lstrlenW (lpString=".xls") returned 4 [0053.781] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.781] lstrlenW (lpString=".xlsx") returned 5 [0053.781] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.781] lstrlenW (lpString=".ppt") returned 4 [0053.781] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.781] lstrlenW (lpString=".zip") returned 4 [0053.781] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.781] lstrlenW (lpString=".rar") returned 4 [0053.781] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.781] lstrlenW (lpString=".bz2") returned 4 [0053.781] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.781] lstrlenW (lpString=".7z") returned 3 [0053.781] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.781] lstrlenW (lpString=".dbf") returned 4 [0053.781] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.781] lstrlenW (lpString=".1cd") returned 4 [0053.781] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.782] lstrlenW (lpString=".jpg") returned 4 [0053.782] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.782] lstrlenW (lpString=".doc") returned 4 [0053.782] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0053.782] lstrlenW (lpString=".docx") returned 5 [0053.782] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0053.782] lstrlenW (lpString=".pdf") returned 4 [0053.782] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0053.782] lstrlenW (lpString=".xls") returned 4 [0053.782] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0053.782] lstrlenW (lpString=".xlsx") returned 5 [0053.782] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0053.782] lstrlenW (lpString=".ppt") returned 4 [0053.782] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0053.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.782] lstrlenW (lpString=".zip") returned 4 [0053.782] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0053.782] lstrlenW (lpString=".rar") returned 4 [0053.782] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0053.782] lstrlenW (lpString=".bz2") returned 4 [0053.782] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0053.782] lstrlenW (lpString=".7z") returned 3 [0053.782] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0053.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.782] lstrlenW (lpString=".dbf") returned 4 [0053.783] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0053.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.783] lstrlenW (lpString=".1cd") returned 4 [0053.783] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0053.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0053.783] lstrlenW (lpString=".jpg") returned 4 [0053.783] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0053.783] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.783] lstrlenW (lpString="4to3Squareframe_SelectionSubpicture.png") returned 39 [0053.783] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.784] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=3304) returned 1 [0053.784] CloseHandle (hObject=0x1e8) returned 1 [0053.784] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png")) returned 0x20 [0053.784] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.784] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.784] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.784] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.784] lstrlenW (lpString=".doc") returned 4 [0053.784] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.784] lstrlenW (lpString=".docx") returned 5 [0053.784] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0053.784] lstrlenW (lpString=".pdf") returned 4 [0053.784] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.784] lstrlenW (lpString=".xls") returned 4 [0053.784] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.784] lstrlenW (lpString=".xlsx") returned 5 [0053.784] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0053.784] lstrlenW (lpString=".ppt") returned 4 [0053.784] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.785] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.785] lstrlenW (lpString=".zip") returned 4 [0053.785] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.785] lstrlenW (lpString=".rar") returned 4 [0053.785] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.785] lstrlenW (lpString=".bz2") returned 4 [0053.785] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.785] lstrlenW (lpString=".7z") returned 3 [0053.785] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.785] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.785] lstrlenW (lpString=".dbf") returned 4 [0053.785] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.785] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.785] lstrlenW (lpString=".1cd") returned 4 [0053.785] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.785] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.785] lstrlenW (lpString=".jpg") returned 4 [0053.785] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.785] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.785] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.785] lstrlenW (lpString=".doc") returned 4 [0053.785] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.785] lstrlenW (lpString=".docx") returned 5 [0053.785] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0053.785] lstrlenW (lpString=".pdf") returned 4 [0053.785] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.785] lstrlenW (lpString=".xls") returned 4 [0053.786] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.786] lstrlenW (lpString=".xlsx") returned 5 [0053.786] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0053.786] lstrlenW (lpString=".ppt") returned 4 [0053.786] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.786] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.786] lstrlenW (lpString=".zip") returned 4 [0053.786] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.786] lstrlenW (lpString=".rar") returned 4 [0053.786] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.786] lstrlenW (lpString=".bz2") returned 4 [0053.786] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.786] lstrlenW (lpString=".7z") returned 3 [0053.786] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.786] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.786] lstrlenW (lpString=".dbf") returned 4 [0053.786] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.786] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.786] lstrlenW (lpString=".1cd") returned 4 [0053.786] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.786] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0053.786] lstrlenW (lpString=".jpg") returned 4 [0053.786] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.786] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.786] lstrlenW (lpString="4to3Squareframe_VideoInset.png") returned 30 [0053.787] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.787] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=3467) returned 1 [0053.787] CloseHandle (hObject=0x1e8) returned 1 [0053.787] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png")) returned 0x20 [0053.787] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.787] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.787] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.787] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.787] lstrlenW (lpString=".doc") returned 4 [0053.787] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.788] lstrlenW (lpString=".docx") returned 5 [0053.788] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0053.788] lstrlenW (lpString=".pdf") returned 4 [0053.788] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.788] lstrlenW (lpString=".xls") returned 4 [0053.788] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.788] lstrlenW (lpString=".xlsx") returned 5 [0053.788] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0053.788] lstrlenW (lpString=".ppt") returned 4 [0053.788] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.788] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.788] lstrlenW (lpString=".zip") returned 4 [0053.788] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.788] lstrlenW (lpString=".rar") returned 4 [0053.788] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.788] lstrlenW (lpString=".bz2") returned 4 [0053.788] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.788] lstrlenW (lpString=".7z") returned 3 [0053.788] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.788] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.788] lstrlenW (lpString=".dbf") returned 4 [0053.788] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.788] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.788] lstrlenW (lpString=".1cd") returned 4 [0053.788] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.788] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.788] lstrlenW (lpString=".jpg") returned 4 [0053.788] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.788] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.789] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.789] lstrlenW (lpString=".doc") returned 4 [0053.789] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0053.789] lstrlenW (lpString=".docx") returned 5 [0053.789] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0053.789] lstrlenW (lpString=".pdf") returned 4 [0053.789] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0053.789] lstrlenW (lpString=".xls") returned 4 [0053.789] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0053.789] lstrlenW (lpString=".xlsx") returned 5 [0053.789] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0053.789] lstrlenW (lpString=".ppt") returned 4 [0053.789] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0053.789] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.789] lstrlenW (lpString=".zip") returned 4 [0053.789] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0053.789] lstrlenW (lpString=".rar") returned 4 [0053.789] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0053.789] lstrlenW (lpString=".bz2") returned 4 [0053.789] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0053.789] lstrlenW (lpString=".7z") returned 3 [0053.789] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0053.789] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.789] lstrlenW (lpString=".dbf") returned 4 [0053.789] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0053.789] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.789] lstrlenW (lpString=".1cd") returned 4 [0053.789] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0053.789] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0053.790] lstrlenW (lpString=".jpg") returned 4 [0053.790] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0053.790] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0053.790] lstrlenW (lpString="babyblue.png") returned 12 [0053.790] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.922] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=12349) returned 1 [0054.923] CloseHandle (hObject=0x208) returned 1 [0054.923] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png")) returned 0x20 [0054.923] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.923] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.923] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.923] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.923] lstrlenW (lpString=".doc") returned 4 [0054.923] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0054.923] lstrlenW (lpString=".docx") returned 5 [0054.923] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0054.923] lstrlenW (lpString=".pdf") returned 4 [0054.923] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0054.923] lstrlenW (lpString=".xls") returned 4 [0054.923] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0054.923] lstrlenW (lpString=".xlsx") returned 5 [0054.923] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0054.923] lstrlenW (lpString=".ppt") returned 4 [0054.923] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0054.923] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.924] lstrlenW (lpString=".zip") returned 4 [0054.924] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0054.924] lstrlenW (lpString=".rar") returned 4 [0054.924] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0054.924] lstrlenW (lpString=".bz2") returned 4 [0054.924] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0054.924] lstrlenW (lpString=".7z") returned 3 [0054.924] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0054.924] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.924] lstrlenW (lpString=".dbf") returned 4 [0054.924] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0054.924] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.924] lstrlenW (lpString=".1cd") returned 4 [0054.924] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0054.924] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.924] lstrlenW (lpString=".jpg") returned 4 [0054.924] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0054.924] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.924] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.924] lstrlenW (lpString=".doc") returned 4 [0054.924] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0054.924] lstrlenW (lpString=".docx") returned 5 [0054.924] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0054.924] lstrlenW (lpString=".pdf") returned 4 [0054.924] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0054.924] lstrlenW (lpString=".xls") returned 4 [0054.924] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0054.925] lstrlenW (lpString=".xlsx") returned 5 [0054.925] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0054.925] lstrlenW (lpString=".ppt") returned 4 [0054.925] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0054.925] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.925] lstrlenW (lpString=".zip") returned 4 [0054.925] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0054.925] lstrlenW (lpString=".rar") returned 4 [0054.925] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0054.925] lstrlenW (lpString=".bz2") returned 4 [0054.925] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0054.925] lstrlenW (lpString=".7z") returned 3 [0054.925] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0054.925] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.925] lstrlenW (lpString=".dbf") returned 4 [0054.925] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0054.925] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.925] lstrlenW (lpString=".1cd") returned 4 [0054.925] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0054.925] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0054.925] lstrlenW (lpString=".jpg") returned 4 [0054.925] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0054.957] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0054.957] lstrlenW (lpString="flower_trans_matte.wmv") returned 22 [0054.957] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.017] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=157208) returned 1 [0055.018] CloseHandle (hObject=0x214) returned 1 [0055.018] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv")) returned 0x20 [0055.018] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.018] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.018] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.018] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.018] lstrlenW (lpString=".doc") returned 4 [0055.018] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0055.018] lstrlenW (lpString=".docx") returned 5 [0055.018] lstrcmpiW (lpString1=".docx", lpString2="e.wmv") returned -1 [0055.018] lstrlenW (lpString=".pdf") returned 4 [0055.018] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0055.018] lstrlenW (lpString=".xls") returned 4 [0055.018] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0055.018] lstrlenW (lpString=".xlsx") returned 5 [0055.018] lstrcmpiW (lpString1=".xlsx", lpString2="e.wmv") returned -1 [0055.018] lstrlenW (lpString=".ppt") returned 4 [0055.018] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0055.018] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.019] lstrlenW (lpString=".zip") returned 4 [0055.019] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0055.019] lstrlenW (lpString=".rar") returned 4 [0055.019] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0055.019] lstrlenW (lpString=".bz2") returned 4 [0055.019] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0055.019] lstrlenW (lpString=".7z") returned 3 [0055.019] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0055.019] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.019] lstrlenW (lpString=".dbf") returned 4 [0055.019] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0055.019] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.019] lstrlenW (lpString=".1cd") returned 4 [0055.019] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0055.019] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.019] lstrlenW (lpString=".jpg") returned 4 [0055.019] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0055.019] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.019] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.019] lstrlenW (lpString=".doc") returned 4 [0055.019] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0055.019] lstrlenW (lpString=".docx") returned 5 [0055.019] lstrcmpiW (lpString1=".docx", lpString2="e.wmv") returned -1 [0055.019] lstrlenW (lpString=".pdf") returned 4 [0055.019] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0055.019] lstrlenW (lpString=".xls") returned 4 [0055.019] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0055.019] lstrlenW (lpString=".xlsx") returned 5 [0055.020] lstrcmpiW (lpString1=".xlsx", lpString2="e.wmv") returned -1 [0055.020] lstrlenW (lpString=".ppt") returned 4 [0055.020] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0055.020] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.020] lstrlenW (lpString=".zip") returned 4 [0055.020] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0055.020] lstrlenW (lpString=".rar") returned 4 [0055.020] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0055.020] lstrlenW (lpString=".bz2") returned 4 [0055.020] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0055.020] lstrlenW (lpString=".7z") returned 3 [0055.020] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0055.020] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.020] lstrlenW (lpString=".dbf") returned 4 [0055.020] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0055.020] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.020] lstrlenW (lpString=".1cd") returned 4 [0055.020] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0055.020] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 75 [0055.020] lstrlenW (lpString=".jpg") returned 4 [0055.020] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0055.020] lstrcmpiW (lpString1=".wmv", lpString2=".NcOv") returned 1 [0055.020] lstrlenW (lpString="flower_trans_rgb.wmv") returned 20 [0055.020] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0055.114] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=189214) returned 1 [0055.114] CloseHandle (hObject=0x228) returned 1 [0055.114] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv")) returned 0x20 [0055.115] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.115] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.115] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.115] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.115] lstrlenW (lpString=".doc") returned 4 [0055.115] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0055.115] lstrlenW (lpString=".docx") returned 5 [0055.115] lstrcmpiW (lpString1=".docx", lpString2="b.wmv") returned -1 [0055.115] lstrlenW (lpString=".pdf") returned 4 [0055.115] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0055.115] lstrlenW (lpString=".xls") returned 4 [0055.115] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0055.115] lstrlenW (lpString=".xlsx") returned 5 [0055.115] lstrcmpiW (lpString1=".xlsx", lpString2="b.wmv") returned -1 [0055.115] lstrlenW (lpString=".ppt") returned 4 [0055.115] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0055.115] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.115] lstrlenW (lpString=".zip") returned 4 [0055.115] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0055.115] lstrlenW (lpString=".rar") returned 4 [0055.115] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0055.115] lstrlenW (lpString=".bz2") returned 4 [0055.115] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0055.115] lstrlenW (lpString=".7z") returned 3 [0055.115] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0055.115] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.116] lstrlenW (lpString=".dbf") returned 4 [0055.116] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0055.116] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.116] lstrlenW (lpString=".1cd") returned 4 [0055.116] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0055.116] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.116] lstrlenW (lpString=".jpg") returned 4 [0055.116] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0055.116] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.116] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.116] lstrlenW (lpString=".doc") returned 4 [0055.116] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0055.116] lstrlenW (lpString=".docx") returned 5 [0055.116] lstrcmpiW (lpString1=".docx", lpString2="b.wmv") returned -1 [0055.116] lstrlenW (lpString=".pdf") returned 4 [0055.116] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0055.116] lstrlenW (lpString=".xls") returned 4 [0055.116] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0055.116] lstrlenW (lpString=".xlsx") returned 5 [0055.116] lstrcmpiW (lpString1=".xlsx", lpString2="b.wmv") returned -1 [0055.116] lstrlenW (lpString=".ppt") returned 4 [0055.116] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0055.116] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.116] lstrlenW (lpString=".zip") returned 4 [0055.116] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0055.116] lstrlenW (lpString=".rar") returned 4 [0055.116] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0055.117] lstrlenW (lpString=".bz2") returned 4 [0055.117] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0055.117] lstrlenW (lpString=".7z") returned 3 [0055.117] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0055.117] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.117] lstrlenW (lpString=".dbf") returned 4 [0055.117] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0055.117] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.117] lstrlenW (lpString=".1cd") returned 4 [0055.117] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0055.117] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 73 [0055.117] lstrlenW (lpString=".jpg") returned 4 [0055.117] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0055.117] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0055.117] lstrlenW (lpString="Title_content-background.png") returned 28 [0055.117] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0055.806] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=233668) returned 1 [0055.806] CloseHandle (hObject=0x208) returned 1 [0055.806] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png")) returned 0x20 [0055.806] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.807] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.807] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.807] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.807] lstrlenW (lpString=".doc") returned 4 [0055.807] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.807] lstrlenW (lpString=".docx") returned 5 [0055.807] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0055.807] lstrlenW (lpString=".pdf") returned 4 [0055.807] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.807] lstrlenW (lpString=".xls") returned 4 [0055.807] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.807] lstrlenW (lpString=".xlsx") returned 5 [0055.807] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0055.807] lstrlenW (lpString=".ppt") returned 4 [0055.807] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.807] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.807] lstrlenW (lpString=".zip") returned 4 [0055.807] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.807] lstrlenW (lpString=".rar") returned 4 [0055.807] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.807] lstrlenW (lpString=".bz2") returned 4 [0055.807] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.807] lstrlenW (lpString=".7z") returned 3 [0055.807] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.808] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.808] lstrlenW (lpString=".dbf") returned 4 [0055.808] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.808] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.808] lstrlenW (lpString=".1cd") returned 4 [0055.808] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.809] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.809] lstrlenW (lpString=".jpg") returned 4 [0055.809] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.809] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.809] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.809] lstrlenW (lpString=".doc") returned 4 [0055.809] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0055.809] lstrlenW (lpString=".docx") returned 5 [0055.809] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0055.809] lstrlenW (lpString=".pdf") returned 4 [0055.809] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0055.809] lstrlenW (lpString=".xls") returned 4 [0055.809] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0055.809] lstrlenW (lpString=".xlsx") returned 5 [0055.809] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0055.809] lstrlenW (lpString=".ppt") returned 4 [0055.809] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0055.809] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.809] lstrlenW (lpString=".zip") returned 4 [0055.809] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0055.809] lstrlenW (lpString=".rar") returned 4 [0055.809] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0055.809] lstrlenW (lpString=".bz2") returned 4 [0055.809] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0055.809] lstrlenW (lpString=".7z") returned 3 [0055.810] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0055.810] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.810] lstrlenW (lpString=".dbf") returned 4 [0055.810] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0055.810] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.810] lstrlenW (lpString=".1cd") returned 4 [0055.810] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0055.810] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 81 [0055.810] lstrlenW (lpString=".jpg") returned 4 [0055.810] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0055.810] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0055.810] lstrlenW (lpString="Pets_notes-txt-background.png") returned 29 [0055.810] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.506] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=7888) returned 1 [0056.506] CloseHandle (hObject=0x1bc) returned 1 [0056.506] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png")) returned 0x20 [0056.506] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0056.507] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.507] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.507] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.507] lstrlenW (lpString=".doc") returned 4 [0056.507] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0056.507] lstrlenW (lpString=".docx") returned 5 [0056.507] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0056.507] lstrlenW (lpString=".pdf") returned 4 [0056.507] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0056.507] lstrlenW (lpString=".xls") returned 4 [0056.507] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0056.507] lstrlenW (lpString=".xlsx") returned 5 [0056.507] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0056.507] lstrlenW (lpString=".ppt") returned 4 [0056.507] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0056.507] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.507] lstrlenW (lpString=".zip") returned 4 [0056.507] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0056.507] lstrlenW (lpString=".rar") returned 4 [0056.507] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0056.507] lstrlenW (lpString=".bz2") returned 4 [0056.508] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0056.508] lstrlenW (lpString=".7z") returned 3 [0056.508] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0056.508] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.508] lstrlenW (lpString=".dbf") returned 4 [0056.508] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0056.508] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.508] lstrlenW (lpString=".1cd") returned 4 [0056.508] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0056.508] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.508] lstrlenW (lpString=".jpg") returned 4 [0056.508] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0056.508] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.508] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.508] lstrlenW (lpString=".doc") returned 4 [0056.508] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0056.508] lstrlenW (lpString=".docx") returned 5 [0056.508] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0056.508] lstrlenW (lpString=".pdf") returned 4 [0056.508] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0056.508] lstrlenW (lpString=".xls") returned 4 [0056.508] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0056.508] lstrlenW (lpString=".xlsx") returned 5 [0056.508] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0056.508] lstrlenW (lpString=".ppt") returned 4 [0056.508] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0056.509] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.509] lstrlenW (lpString=".zip") returned 4 [0056.509] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0056.509] lstrlenW (lpString=".rar") returned 4 [0056.509] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0056.509] lstrlenW (lpString=".bz2") returned 4 [0056.509] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0056.509] lstrlenW (lpString=".7z") returned 3 [0056.509] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0056.509] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.509] lstrlenW (lpString=".dbf") returned 4 [0056.509] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0056.509] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.509] lstrlenW (lpString=".1cd") returned 4 [0056.509] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0056.509] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 78 [0056.509] lstrlenW (lpString=".jpg") returned 4 [0056.509] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0056.509] lstrcmpiW (lpString1=".png", lpString2=".NcOv") returned 1 [0056.509] lstrlenW (lpString="whitevignette1047.png") returned 21 [0056.509] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0056.820] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=169722) returned 1 [0056.820] CloseHandle (hObject=0x1ac) returned 1 [0056.827] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png")) returned 0x20 [0056.827] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0056.828] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.830] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.830] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.830] lstrlenW (lpString=".doc") returned 4 [0056.830] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0056.830] lstrlenW (lpString=".docx") returned 5 [0056.830] lstrcmpiW (lpString1=".docx", lpString2="7.png") returned -1 [0056.830] lstrlenW (lpString=".pdf") returned 4 [0056.830] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0056.832] lstrlenW (lpString=".xls") returned 4 [0056.832] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0056.832] lstrlenW (lpString=".xlsx") returned 5 [0056.832] lstrcmpiW (lpString1=".xlsx", lpString2="7.png") returned -1 [0056.832] lstrlenW (lpString=".ppt") returned 4 [0056.832] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0056.834] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.834] lstrlenW (lpString=".zip") returned 4 [0056.834] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0056.834] lstrlenW (lpString=".rar") returned 4 [0056.834] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0056.838] lstrlenW (lpString=".bz2") returned 4 [0056.838] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0056.838] lstrlenW (lpString=".7z") returned 3 [0056.838] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0056.839] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.839] lstrlenW (lpString=".dbf") returned 4 [0056.839] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0056.839] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.842] lstrlenW (lpString=".1cd") returned 4 [0056.842] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0056.842] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.842] lstrlenW (lpString=".jpg") returned 4 [0056.842] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0056.843] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.843] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.843] lstrlenW (lpString=".doc") returned 4 [0056.843] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0056.844] lstrlenW (lpString=".docx") returned 5 [0056.844] lstrcmpiW (lpString1=".docx", lpString2="7.png") returned -1 [0056.844] lstrlenW (lpString=".pdf") returned 4 [0056.844] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0056.844] lstrlenW (lpString=".xls") returned 4 [0056.844] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0056.844] lstrlenW (lpString=".xlsx") returned 5 [0056.844] lstrcmpiW (lpString1=".xlsx", lpString2="7.png") returned -1 [0056.844] lstrlenW (lpString=".ppt") returned 4 [0056.844] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0056.844] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.844] lstrlenW (lpString=".zip") returned 4 [0056.846] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0056.846] lstrlenW (lpString=".rar") returned 4 [0056.846] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0056.846] lstrlenW (lpString=".bz2") returned 4 [0056.846] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0056.848] lstrlenW (lpString=".7z") returned 3 [0056.848] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0056.849] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.849] lstrlenW (lpString=".dbf") returned 4 [0056.849] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0056.849] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.855] lstrlenW (lpString=".1cd") returned 4 [0056.855] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0056.855] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 81 [0056.855] lstrlenW (lpString=".jpg") returned 4 [0056.855] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0056.855] lstrcmpiW (lpString1=".xsl", lpString2=".NcOv") returned 1 [0056.855] lstrlenW (lpString="Informix.xsl") returned 12 [0056.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0058.127] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=30948) returned 1 [0058.127] CloseHandle (hObject=0x1f4) returned 1 [0058.127] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 0x20 [0058.127] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0058.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0058.127] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.127] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0058.128] GetLastError () returned 0x0 [0058.128] ReadFile (in: hFile=0x1f4, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x78e4, lpOverlapped=0x0) returned 1 [0058.931] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x78f0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x78f0, lpOverlapped=0x0) returned 1 [0059.214] ReadFile (in: hFile=0x1f4, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.214] WriteFile (in: hFile=0x188, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.214] SetEndOfFile (hFile=0x188) returned 1 [0059.605] CloseHandle (hObject=0x188) returned 1 [0059.605] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.605] SetEndOfFile (hFile=0x1f4) returned 1 [0059.607] CloseHandle (hObject=0x1f4) returned 1 [0059.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0059.607] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 1 [0059.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0059.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0059.653] lstrlenW (lpString=".doc") returned 4 [0059.653] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0059.653] lstrlenW (lpString=".docx") returned 5 [0059.653] lstrcmpiW (lpString1=".docx", lpString2="x.xsl") returned -1 [0059.653] lstrlenW (lpString=".pdf") returned 4 [0059.653] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0059.653] lstrlenW (lpString=".xls") returned 4 [0059.653] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0059.653] lstrlenW (lpString=".xlsx") returned 5 [0059.653] lstrcmpiW (lpString1=".xlsx", lpString2="x.xsl") returned -1 [0059.653] lstrlenW (lpString=".ppt") returned 4 [0059.653] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0059.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0059.653] lstrlenW (lpString=".zip") returned 4 [0059.653] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0059.653] lstrlenW (lpString=".rar") returned 4 [0059.653] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0059.653] lstrlenW (lpString=".bz2") returned 4 [0059.653] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0059.653] lstrlenW (lpString=".7z") returned 3 [0059.653] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0059.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0059.653] lstrlenW (lpString=".dbf") returned 4 [0059.653] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0059.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0059.654] lstrlenW (lpString=".1cd") returned 4 [0060.079] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0060.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0060.079] lstrlenW (lpString=".jpg") returned 4 [0060.079] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0060.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0060.080] lstrlenW (lpString=".doc") returned 4 [0060.080] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString=".docx") returned 5 [0060.080] lstrcmpiW (lpString1=".docx", lpString2="x.xsl") returned -1 [0060.080] lstrlenW (lpString=".pdf") returned 4 [0060.080] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString=".xls") returned 4 [0060.080] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString=".xlsx") returned 5 [0060.080] lstrcmpiW (lpString1=".xlsx", lpString2="x.xsl") returned -1 [0060.080] lstrlenW (lpString=".ppt") returned 4 [0060.080] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0060.080] lstrlenW (lpString=".zip") returned 4 [0060.080] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0060.080] lstrlenW (lpString=".rar") returned 4 [0060.080] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString=".bz2") returned 4 [0060.080] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString=".7z") returned 3 [0060.080] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0060.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0060.080] lstrlenW (lpString=".dbf") returned 4 [0060.080] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0060.080] lstrlenW (lpString=".1cd") returned 4 [0060.080] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0060.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0060.080] lstrlenW (lpString=".jpg") returned 4 [0060.080] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0060.081] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0060.081] lstrlenW (lpString="AG00004_.GIF") returned 12 [0060.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.302] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=9024) returned 1 [0060.302] CloseHandle (hObject=0x1a0) returned 1 [0060.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif")) returned 0x20 [0060.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0060.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.303] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.303] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0060.303] GetLastError () returned 0x0 [0060.303] ReadFile (in: hFile=0x1a0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x2340, lpOverlapped=0x0) returned 1 [0060.306] WriteFile (in: hFile=0x1f4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x2350, lpOverlapped=0x0) returned 1 [0060.307] ReadFile (in: hFile=0x1a0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.307] WriteFile (in: hFile=0x1f4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.307] SetEndOfFile (hFile=0x1f4) returned 1 [0060.307] CloseHandle (hObject=0x1f4) returned 1 [0060.308] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.308] SetEndOfFile (hFile=0x1a0) returned 1 [0060.309] CloseHandle (hObject=0x1a0) returned 1 [0060.309] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0060.309] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif")) returned 1 [0060.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.310] lstrlenW (lpString=".doc") returned 4 [0060.310] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.310] lstrlenW (lpString=".docx") returned 5 [0060.310] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.310] lstrlenW (lpString=".pdf") returned 4 [0060.310] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.310] lstrlenW (lpString=".xls") returned 4 [0060.310] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.310] lstrlenW (lpString=".xlsx") returned 5 [0060.310] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.310] lstrlenW (lpString=".ppt") returned 4 [0060.310] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.310] lstrlenW (lpString=".zip") returned 4 [0060.310] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.310] lstrlenW (lpString=".rar") returned 4 [0060.310] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.310] lstrlenW (lpString=".bz2") returned 4 [0060.310] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.310] lstrlenW (lpString=".7z") returned 3 [0060.310] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.310] lstrlenW (lpString=".dbf") returned 4 [0060.310] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.310] lstrlenW (lpString=".1cd") returned 4 [0060.310] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.311] lstrlenW (lpString=".jpg") returned 4 [0060.311] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.311] lstrlenW (lpString=".doc") returned 4 [0060.311] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.311] lstrlenW (lpString=".docx") returned 5 [0060.311] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.311] lstrlenW (lpString=".pdf") returned 4 [0060.311] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.311] lstrlenW (lpString=".xls") returned 4 [0060.311] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.311] lstrlenW (lpString=".xlsx") returned 5 [0060.311] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.311] lstrlenW (lpString=".ppt") returned 4 [0060.311] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.311] lstrlenW (lpString=".zip") returned 4 [0060.311] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.311] lstrlenW (lpString=".rar") returned 4 [0060.311] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.311] lstrlenW (lpString=".bz2") returned 4 [0060.311] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.311] lstrlenW (lpString=".7z") returned 3 [0060.311] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.312] lstrlenW (lpString=".dbf") returned 4 [0060.312] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.312] lstrlenW (lpString=".1cd") returned 4 [0060.312] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0060.312] lstrlenW (lpString=".jpg") returned 4 [0060.312] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.312] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0060.312] lstrlenW (lpString="AG00011_.GIF") returned 12 [0060.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.313] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=7216) returned 1 [0060.313] CloseHandle (hObject=0x1a0) returned 1 [0060.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 0x20 [0060.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0060.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.313] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.313] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0060.314] GetLastError () returned 0x0 [0060.314] ReadFile (in: hFile=0x1a0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x1c30, lpOverlapped=0x0) returned 1 [0060.316] WriteFile (in: hFile=0x1f4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x1c40, lpOverlapped=0x0) returned 1 [0060.317] ReadFile (in: hFile=0x1a0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.317] WriteFile (in: hFile=0x1f4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.317] SetEndOfFile (hFile=0x1f4) returned 1 [0060.317] CloseHandle (hObject=0x1f4) returned 1 [0060.318] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.318] SetEndOfFile (hFile=0x1a0) returned 1 [0060.319] CloseHandle (hObject=0x1a0) returned 1 [0060.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0060.319] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 1 [0060.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.320] lstrlenW (lpString=".doc") returned 4 [0060.320] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.320] lstrlenW (lpString=".docx") returned 5 [0060.320] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.320] lstrlenW (lpString=".pdf") returned 4 [0060.320] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.320] lstrlenW (lpString=".xls") returned 4 [0060.320] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.320] lstrlenW (lpString=".xlsx") returned 5 [0060.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.320] lstrlenW (lpString=".ppt") returned 4 [0060.320] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.320] lstrlenW (lpString=".zip") returned 4 [0060.320] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.320] lstrlenW (lpString=".rar") returned 4 [0060.320] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.320] lstrlenW (lpString=".bz2") returned 4 [0060.320] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.320] lstrlenW (lpString=".7z") returned 3 [0060.320] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.320] lstrlenW (lpString=".dbf") returned 4 [0060.320] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.320] lstrlenW (lpString=".1cd") returned 4 [0060.320] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.321] lstrlenW (lpString=".jpg") returned 4 [0060.321] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.321] lstrlenW (lpString=".doc") returned 4 [0060.321] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.321] lstrlenW (lpString=".docx") returned 5 [0060.321] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.321] lstrlenW (lpString=".pdf") returned 4 [0060.321] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.321] lstrlenW (lpString=".xls") returned 4 [0060.321] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.321] lstrlenW (lpString=".xlsx") returned 5 [0060.321] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.321] lstrlenW (lpString=".ppt") returned 4 [0060.321] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.321] lstrlenW (lpString=".zip") returned 4 [0060.321] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.321] lstrlenW (lpString=".rar") returned 4 [0060.321] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.321] lstrlenW (lpString=".bz2") returned 4 [0060.321] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.321] lstrlenW (lpString=".7z") returned 3 [0060.321] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.321] lstrlenW (lpString=".dbf") returned 4 [0060.322] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.322] lstrlenW (lpString=".1cd") returned 4 [0060.322] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0060.322] lstrlenW (lpString=".jpg") returned 4 [0060.322] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.322] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0060.322] lstrlenW (lpString="AG00021_.GIF") returned 12 [0060.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.324] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=14873) returned 1 [0060.324] CloseHandle (hObject=0x1a0) returned 1 [0060.324] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 0x20 [0060.324] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0060.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.324] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.324] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0060.326] GetLastError () returned 0x0 [0060.326] ReadFile (in: hFile=0x1a0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x3a19, lpOverlapped=0x0) returned 1 [0060.328] WriteFile (in: hFile=0x1f4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0060.329] ReadFile (in: hFile=0x1a0, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.329] WriteFile (in: hFile=0x1f4, lpBuffer=0x34d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34d0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.329] SetEndOfFile (hFile=0x1f4) returned 1 [0060.329] CloseHandle (hObject=0x1f4) returned 1 [0060.330] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.330] SetEndOfFile (hFile=0x1a0) returned 1 [0060.331] CloseHandle (hObject=0x1a0) returned 1 [0060.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0060.331] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 1 [0060.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.332] lstrlenW (lpString=".doc") returned 4 [0060.332] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.332] lstrlenW (lpString=".docx") returned 5 [0060.332] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.811] lstrlenW (lpString=".pdf") returned 4 [0060.811] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.811] lstrlenW (lpString=".xls") returned 4 [0060.811] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.811] lstrlenW (lpString=".xlsx") returned 5 [0060.811] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.816] lstrlenW (lpString=".ppt") returned 4 [0060.816] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.816] lstrlenW (lpString=".zip") returned 4 [0060.816] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.816] lstrlenW (lpString=".rar") returned 4 [0060.816] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.816] lstrlenW (lpString=".bz2") returned 4 [0060.816] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.816] lstrlenW (lpString=".7z") returned 3 [0060.817] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.817] lstrlenW (lpString=".dbf") returned 4 [0060.817] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.817] lstrlenW (lpString=".1cd") returned 4 [0060.817] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.817] lstrlenW (lpString=".jpg") returned 4 [0060.817] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.817] lstrlenW (lpString=".doc") returned 4 [0060.817] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.817] lstrlenW (lpString=".docx") returned 5 [0060.817] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.817] lstrlenW (lpString=".pdf") returned 4 [0060.817] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.817] lstrlenW (lpString=".xls") returned 4 [0060.817] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.817] lstrlenW (lpString=".xlsx") returned 5 [0060.817] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.817] lstrlenW (lpString=".ppt") returned 4 [0060.817] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.817] lstrlenW (lpString=".zip") returned 4 [0060.817] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.818] lstrlenW (lpString=".rar") returned 4 [0060.818] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.818] lstrlenW (lpString=".bz2") returned 4 [0060.818] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.818] lstrlenW (lpString=".7z") returned 3 [0060.818] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.818] lstrlenW (lpString=".dbf") returned 4 [0060.818] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.818] lstrlenW (lpString=".1cd") returned 4 [0060.818] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0060.818] lstrlenW (lpString=".jpg") returned 4 [0060.818] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.818] lstrcmpiW (lpString1=".GIF", lpString2=".NcOv") returned -1 [0060.818] lstrlenW (lpString="AG00142_.GIF") returned 12 [0060.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0063.793] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=15308) returned 1 [0063.793] CloseHandle (hObject=0x19c) returned 1 [0063.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 0x20 [0063.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0063.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0063.793] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0063.793] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0063.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0063.794] GetLastError () returned 0x0 [0063.794] ReadFile (hFile=0x19c, lpBuffer=0x34d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0) Thread: id = 12 os_tid = 0x5c4 [0036.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x5e40a0 [0036.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x3720048 [0036.658] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a7a8 [0036.658] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x55ad08 [0036.658] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a7c0 [0036.658] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x3820020 [0036.658] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a7d8 [0036.659] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a7d8, Size=0x20) returned 0x5a34e8 [0036.659] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a7d8 [0036.659] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a7d8, Size=0x20) returned 0x5a34c0 [0036.659] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0036.659] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0036.659] Wow64DisableWow64FsRedirection (in: OldValue=0x2daff58 | out: OldValue=0x2daff58*=0x0) returned 1 [0036.659] lstrlenW (lpString="kernel32.dll") returned 12 [0036.659] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34e8 | out: hHeap=0x500000) returned 1 [0036.659] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0036.659] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a34c0 | out: hHeap=0x500000) returned 1 [0036.659] Sleep (dwMilliseconds=0x64) [0036.781] Sleep (dwMilliseconds=0x64) [0037.010] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.010] lstrlenW (lpString="ExcelMUI.xml") returned 12 [0037.010] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.027] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1565) returned 1 [0037.027] CloseHandle (hObject=0x170) returned 1 [0037.027] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0037.027] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.027] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.027] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.027] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.028] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.029] GetLastError () returned 0x0 [0037.029] ReadFile (in: hFile=0x170, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x61d, lpOverlapped=0x0) returned 1 [0037.057] WriteFile (in: hFile=0x174, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x620, lpOverlapped=0x0) returned 1 [0037.058] ReadFile (in: hFile=0x170, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.058] WriteFile (in: hFile=0x174, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.058] SetEndOfFile (hFile=0x174) returned 1 [0037.058] CloseHandle (hObject=0x174) returned 1 [0037.059] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.059] SetEndOfFile (hFile=0x170) returned 1 [0037.060] CloseHandle (hObject=0x170) returned 1 [0037.060] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.060] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0037.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.061] lstrlenW (lpString=".doc") returned 4 [0037.061] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".docx") returned 5 [0037.061] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.061] lstrlenW (lpString=".pdf") returned 4 [0037.061] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".xls") returned 4 [0037.061] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".xlsx") returned 5 [0037.061] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.061] lstrlenW (lpString=".ppt") returned 4 [0037.061] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.061] lstrlenW (lpString=".zip") returned 4 [0037.061] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.061] lstrlenW (lpString=".rar") returned 4 [0037.061] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".bz2") returned 4 [0037.061] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".7z") returned 3 [0037.061] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.061] lstrlenW (lpString=".dbf") returned 4 [0037.061] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.061] lstrlenW (lpString=".1cd") returned 4 [0037.061] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.061] lstrlenW (lpString=".jpg") returned 4 [0037.061] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.061] lstrlenW (lpString=".doc") returned 4 [0037.061] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".docx") returned 5 [0037.061] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.062] lstrlenW (lpString=".pdf") returned 4 [0037.062] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.062] lstrlenW (lpString=".xls") returned 4 [0037.062] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.062] lstrlenW (lpString=".xlsx") returned 5 [0037.062] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.062] lstrlenW (lpString=".ppt") returned 4 [0037.062] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.062] lstrlenW (lpString=".zip") returned 4 [0037.062] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.062] lstrlenW (lpString=".rar") returned 4 [0037.062] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.062] lstrlenW (lpString=".bz2") returned 4 [0037.062] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.062] lstrlenW (lpString=".7z") returned 3 [0037.062] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.062] lstrlenW (lpString=".dbf") returned 4 [0037.062] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.062] lstrlenW (lpString=".1cd") returned 4 [0037.062] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0037.062] lstrlenW (lpString=".jpg") returned 4 [0037.062] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.062] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.062] lstrlenW (lpString="Setup.xml") returned 9 [0037.062] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.063] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1886) returned 1 [0037.063] CloseHandle (hObject=0x170) returned 1 [0037.063] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.063] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.063] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.063] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.063] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.063] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.063] GetLastError () returned 0x0 [0037.063] ReadFile (in: hFile=0x170, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x75e, lpOverlapped=0x0) returned 1 [0037.067] WriteFile (in: hFile=0x174, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x760, lpOverlapped=0x0) returned 1 [0037.068] ReadFile (in: hFile=0x170, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.068] WriteFile (in: hFile=0x174, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.069] SetEndOfFile (hFile=0x174) returned 1 [0037.069] CloseHandle (hObject=0x174) returned 1 [0037.069] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.069] SetEndOfFile (hFile=0x170) returned 1 [0037.070] CloseHandle (hObject=0x170) returned 1 [0037.070] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.070] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.071] lstrlenW (lpString=".doc") returned 4 [0037.071] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.071] lstrlenW (lpString=".docx") returned 5 [0037.071] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.071] lstrlenW (lpString=".pdf") returned 4 [0037.071] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.071] lstrlenW (lpString=".xls") returned 4 [0037.071] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.071] lstrlenW (lpString=".xlsx") returned 5 [0037.071] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.071] lstrlenW (lpString=".ppt") returned 4 [0037.071] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.071] lstrlenW (lpString=".zip") returned 4 [0037.071] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.071] lstrlenW (lpString=".rar") returned 4 [0037.071] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.071] lstrlenW (lpString=".bz2") returned 4 [0037.071] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.071] lstrlenW (lpString=".7z") returned 3 [0037.071] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.071] lstrlenW (lpString=".dbf") returned 4 [0037.071] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.071] lstrlenW (lpString=".1cd") returned 4 [0037.071] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.071] lstrlenW (lpString=".jpg") returned 4 [0037.071] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.072] lstrlenW (lpString=".doc") returned 4 [0037.072] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.072] lstrlenW (lpString=".docx") returned 5 [0037.072] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.072] lstrlenW (lpString=".pdf") returned 4 [0037.072] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.072] lstrlenW (lpString=".xls") returned 4 [0037.072] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.072] lstrlenW (lpString=".xlsx") returned 5 [0037.072] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.072] lstrlenW (lpString=".ppt") returned 4 [0037.072] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.072] lstrlenW (lpString=".zip") returned 4 [0037.072] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.072] lstrlenW (lpString=".rar") returned 4 [0037.072] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.072] lstrlenW (lpString=".bz2") returned 4 [0037.072] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.072] lstrlenW (lpString=".7z") returned 3 [0037.151] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.151] lstrlenW (lpString=".dbf") returned 4 [0037.151] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.151] lstrlenW (lpString=".1cd") returned 4 [0037.151] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.151] lstrlenW (lpString=".jpg") returned 4 [0037.151] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.151] Sleep (dwMilliseconds=0x64) [0037.324] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.325] lstrlenW (lpString="OutlookMUI.xml") returned 14 [0037.325] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0037.326] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=3186) returned 1 [0037.326] CloseHandle (hObject=0x15c) returned 1 [0037.326] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0037.326] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.326] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0037.326] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.326] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.326] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0037.326] GetLastError () returned 0x0 [0037.326] ReadFile (in: hFile=0x15c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0xc72, lpOverlapped=0x0) returned 1 [0037.688] WriteFile (in: hFile=0x178, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xc80, lpOverlapped=0x0) returned 1 [0037.689] ReadFile (in: hFile=0x15c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.689] WriteFile (in: hFile=0x178, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.689] SetEndOfFile (hFile=0x178) returned 1 [0037.689] CloseHandle (hObject=0x178) returned 1 [0037.699] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.700] SetEndOfFile (hFile=0x15c) returned 1 [0037.700] CloseHandle (hObject=0x15c) returned 1 [0037.700] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.701] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0037.701] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.701] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.701] lstrlenW (lpString=".doc") returned 4 [0037.701] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.701] lstrlenW (lpString=".docx") returned 5 [0037.701] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.701] lstrlenW (lpString=".pdf") returned 4 [0037.701] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.701] lstrlenW (lpString=".xls") returned 4 [0037.701] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.701] lstrlenW (lpString=".xlsx") returned 5 [0037.701] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.701] lstrlenW (lpString=".ppt") returned 4 [0037.701] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.701] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.701] lstrlenW (lpString=".zip") returned 4 [0037.701] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.702] lstrlenW (lpString=".rar") returned 4 [0037.702] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString=".bz2") returned 4 [0037.702] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString=".7z") returned 3 [0037.702] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.702] lstrlenW (lpString=".dbf") returned 4 [0037.702] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.702] lstrlenW (lpString=".1cd") returned 4 [0037.702] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.702] lstrlenW (lpString=".jpg") returned 4 [0037.702] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.702] lstrlenW (lpString=".doc") returned 4 [0037.702] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString=".docx") returned 5 [0037.702] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.702] lstrlenW (lpString=".pdf") returned 4 [0037.702] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString=".xls") returned 4 [0037.702] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString=".xlsx") returned 5 [0037.702] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.702] lstrlenW (lpString=".ppt") returned 4 [0037.702] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.702] lstrlenW (lpString=".zip") returned 4 [0037.702] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.702] lstrlenW (lpString=".rar") returned 4 [0037.702] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.702] lstrlenW (lpString=".bz2") returned 4 [0037.703] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.703] lstrlenW (lpString=".7z") returned 3 [0037.703] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.703] lstrlenW (lpString=".dbf") returned 4 [0037.703] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.703] lstrlenW (lpString=".1cd") returned 4 [0037.703] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0037.703] lstrlenW (lpString=".jpg") returned 4 [0037.703] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.703] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.703] lstrlenW (lpString="Proof.xml") returned 9 [0037.703] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0037.704] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1347) returned 1 [0037.704] CloseHandle (hObject=0x15c) returned 1 [0037.704] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0x2020 [0037.704] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.704] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0037.704] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.704] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.704] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0037.705] GetLastError () returned 0x0 [0037.705] ReadFile (in: hFile=0x15c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x543, lpOverlapped=0x0) returned 1 [0037.726] WriteFile (in: hFile=0x178, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x550, lpOverlapped=0x0) returned 1 [0037.728] ReadFile (in: hFile=0x15c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.728] WriteFile (in: hFile=0x178, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.728] SetEndOfFile (hFile=0x178) returned 1 [0037.728] CloseHandle (hObject=0x178) returned 1 [0037.729] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.729] SetEndOfFile (hFile=0x15c) returned 1 [0037.729] CloseHandle (hObject=0x15c) returned 1 [0037.730] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.730] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0037.730] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.730] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.730] lstrlenW (lpString=".doc") returned 4 [0037.730] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.730] lstrlenW (lpString=".docx") returned 5 [0037.730] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0037.730] lstrlenW (lpString=".pdf") returned 4 [0037.730] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.730] lstrlenW (lpString=".xls") returned 4 [0037.730] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.730] lstrlenW (lpString=".xlsx") returned 5 [0037.730] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0037.730] lstrlenW (lpString=".ppt") returned 4 [0037.730] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.730] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.730] lstrlenW (lpString=".zip") returned 4 [0037.730] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.730] lstrlenW (lpString=".rar") returned 4 [0037.730] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.730] lstrlenW (lpString=".bz2") returned 4 [0037.730] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString=".7z") returned 3 [0037.731] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.731] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.731] lstrlenW (lpString=".dbf") returned 4 [0037.731] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.731] lstrlenW (lpString=".1cd") returned 4 [0037.731] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.731] lstrlenW (lpString=".jpg") returned 4 [0037.731] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.731] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.731] lstrlenW (lpString=".doc") returned 4 [0037.731] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString=".docx") returned 5 [0037.731] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0037.731] lstrlenW (lpString=".pdf") returned 4 [0037.731] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString=".xls") returned 4 [0037.731] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString=".xlsx") returned 5 [0037.731] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0037.731] lstrlenW (lpString=".ppt") returned 4 [0037.731] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.731] lstrlenW (lpString=".zip") returned 4 [0037.731] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.731] lstrlenW (lpString=".rar") returned 4 [0037.731] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString=".bz2") returned 4 [0037.731] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.731] lstrlenW (lpString=".7z") returned 3 [0037.731] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.731] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.732] lstrlenW (lpString=".dbf") returned 4 [0037.732] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.732] lstrlenW (lpString=".1cd") returned 4 [0037.732] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0037.732] lstrlenW (lpString=".jpg") returned 4 [0037.732] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.732] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.732] lstrlenW (lpString="Setup.xml") returned 9 [0037.732] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0037.732] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=5884) returned 1 [0037.732] CloseHandle (hObject=0x15c) returned 1 [0037.732] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.732] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.732] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0037.732] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.733] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.733] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0037.733] GetLastError () returned 0x0 [0037.733] ReadFile (in: hFile=0x15c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x16fc, lpOverlapped=0x0) returned 1 [0037.750] WriteFile (in: hFile=0x178, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x1700, lpOverlapped=0x0) returned 1 [0037.751] ReadFile (in: hFile=0x15c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.751] WriteFile (in: hFile=0x178, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.752] SetEndOfFile (hFile=0x178) returned 1 [0037.752] CloseHandle (hObject=0x178) returned 1 [0037.752] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.752] SetEndOfFile (hFile=0x15c) returned 1 [0037.753] CloseHandle (hObject=0x15c) returned 1 [0037.753] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.754] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.754] lstrlenW (lpString=".doc") returned 4 [0037.754] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.754] lstrlenW (lpString=".docx") returned 5 [0037.754] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.754] lstrlenW (lpString=".pdf") returned 4 [0037.754] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.754] lstrlenW (lpString=".xls") returned 4 [0037.754] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.754] lstrlenW (lpString=".xlsx") returned 5 [0037.754] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.754] lstrlenW (lpString=".ppt") returned 4 [0037.754] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.754] lstrlenW (lpString=".zip") returned 4 [0037.754] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.754] lstrlenW (lpString=".rar") returned 4 [0037.754] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.754] lstrlenW (lpString=".bz2") returned 4 [0037.754] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.754] lstrlenW (lpString=".7z") returned 3 [0037.754] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.755] lstrlenW (lpString=".dbf") returned 4 [0037.755] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.755] lstrlenW (lpString=".1cd") returned 4 [0037.755] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.755] lstrlenW (lpString=".jpg") returned 4 [0037.755] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.755] lstrlenW (lpString=".doc") returned 4 [0037.755] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString=".docx") returned 5 [0037.755] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.755] lstrlenW (lpString=".pdf") returned 4 [0037.755] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString=".xls") returned 4 [0037.755] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString=".xlsx") returned 5 [0037.755] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.755] lstrlenW (lpString=".ppt") returned 4 [0037.755] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.755] lstrlenW (lpString=".zip") returned 4 [0037.755] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.755] lstrlenW (lpString=".rar") returned 4 [0037.755] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString=".bz2") returned 4 [0037.755] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString=".7z") returned 3 [0037.755] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.755] lstrlenW (lpString=".dbf") returned 4 [0037.755] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.756] lstrlenW (lpString=".1cd") returned 4 [0037.756] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.756] lstrlenW (lpString=".jpg") returned 4 [0037.756] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.756] Sleep (dwMilliseconds=0x64) [0037.853] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.853] lstrlenW (lpString="InfoPathMUI.xml") returned 15 [0037.853] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.854] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1231) returned 1 [0037.854] CloseHandle (hObject=0x18c) returned 1 [0037.854] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0037.854] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.854] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.854] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.854] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.854] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.873] GetLastError () returned 0x0 [0037.873] ReadFile (in: hFile=0x18c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x4cf, lpOverlapped=0x0) returned 1 [0037.906] WriteFile (in: hFile=0x184, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0037.908] ReadFile (in: hFile=0x18c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.908] WriteFile (in: hFile=0x184, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf2, lpOverlapped=0x0) returned 1 [0037.908] SetEndOfFile (hFile=0x184) returned 1 [0037.908] CloseHandle (hObject=0x184) returned 1 [0037.909] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.909] SetEndOfFile (hFile=0x18c) returned 1 [0037.910] CloseHandle (hObject=0x18c) returned 1 [0037.910] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.910] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0037.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.911] lstrlenW (lpString=".doc") returned 4 [0037.911] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.911] lstrlenW (lpString=".docx") returned 5 [0037.911] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.911] lstrlenW (lpString=".pdf") returned 4 [0037.911] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.911] lstrlenW (lpString=".xls") returned 4 [0037.911] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.911] lstrlenW (lpString=".xlsx") returned 5 [0037.911] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.911] lstrlenW (lpString=".ppt") returned 4 [0037.911] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.911] lstrlenW (lpString=".zip") returned 4 [0037.911] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.911] lstrlenW (lpString=".rar") returned 4 [0037.911] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.911] lstrlenW (lpString=".bz2") returned 4 [0037.911] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.911] lstrlenW (lpString=".7z") returned 3 [0037.911] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.911] lstrlenW (lpString=".dbf") returned 4 [0037.911] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.911] lstrlenW (lpString=".1cd") returned 4 [0037.911] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.912] lstrlenW (lpString=".jpg") returned 4 [0037.912] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.912] lstrlenW (lpString=".doc") returned 4 [0037.912] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.912] lstrlenW (lpString=".docx") returned 5 [0037.912] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.912] lstrlenW (lpString=".pdf") returned 4 [0037.912] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.912] lstrlenW (lpString=".xls") returned 4 [0037.912] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.912] lstrlenW (lpString=".xlsx") returned 5 [0037.912] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.912] lstrlenW (lpString=".ppt") returned 4 [0037.912] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.912] lstrlenW (lpString=".zip") returned 4 [0037.912] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.912] lstrlenW (lpString=".rar") returned 4 [0037.912] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.912] lstrlenW (lpString=".bz2") returned 4 [0037.912] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.912] lstrlenW (lpString=".7z") returned 3 [0037.912] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.912] lstrlenW (lpString=".dbf") returned 4 [0037.912] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.913] lstrlenW (lpString=".1cd") returned 4 [0037.913] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0037.913] lstrlenW (lpString=".jpg") returned 4 [0037.913] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.913] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.913] lstrlenW (lpString="Setup.xml") returned 9 [0037.913] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.916] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1988) returned 1 [0037.916] CloseHandle (hObject=0x18c) returned 1 [0037.916] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.916] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.917] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.917] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.917] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.917] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.917] GetLastError () returned 0x0 [0037.917] ReadFile (in: hFile=0x18c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x7c4, lpOverlapped=0x0) returned 1 [0037.929] WriteFile (in: hFile=0x184, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0037.930] ReadFile (in: hFile=0x18c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.930] WriteFile (in: hFile=0x184, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.931] SetEndOfFile (hFile=0x184) returned 1 [0037.931] CloseHandle (hObject=0x184) returned 1 [0037.931] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.932] SetEndOfFile (hFile=0x18c) returned 1 [0037.933] CloseHandle (hObject=0x18c) returned 1 [0037.933] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.933] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.933] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.933] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.933] lstrlenW (lpString=".doc") returned 4 [0037.933] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.933] lstrlenW (lpString=".docx") returned 5 [0037.933] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.933] lstrlenW (lpString=".pdf") returned 4 [0037.933] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.933] lstrlenW (lpString=".xls") returned 4 [0037.934] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.934] lstrlenW (lpString=".xlsx") returned 5 [0037.934] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.934] lstrlenW (lpString=".ppt") returned 4 [0037.934] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.934] lstrlenW (lpString=".zip") returned 4 [0037.934] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.934] lstrlenW (lpString=".rar") returned 4 [0037.934] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.934] lstrlenW (lpString=".bz2") returned 4 [0037.934] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.934] lstrlenW (lpString=".7z") returned 3 [0037.934] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.935] lstrlenW (lpString=".dbf") returned 4 [0037.935] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.935] lstrlenW (lpString=".1cd") returned 4 [0037.935] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.935] lstrlenW (lpString=".jpg") returned 4 [0037.935] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.935] lstrlenW (lpString=".doc") returned 4 [0037.935] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.935] lstrlenW (lpString=".docx") returned 5 [0037.935] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.935] lstrlenW (lpString=".pdf") returned 4 [0037.935] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.935] lstrlenW (lpString=".xls") returned 4 [0037.935] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.935] lstrlenW (lpString=".xlsx") returned 5 [0037.935] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.935] lstrlenW (lpString=".ppt") returned 4 [0037.935] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.935] lstrlenW (lpString=".zip") returned 4 [0037.935] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.935] lstrlenW (lpString=".rar") returned 4 [0037.935] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.936] lstrlenW (lpString=".bz2") returned 4 [0037.936] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.936] lstrlenW (lpString=".7z") returned 3 [0037.936] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.936] lstrlenW (lpString=".dbf") returned 4 [0037.936] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.936] lstrlenW (lpString=".1cd") returned 4 [0037.936] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.936] lstrlenW (lpString=".jpg") returned 4 [0037.936] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.936] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0037.936] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0037.936] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.938] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1452) returned 1 [0037.938] CloseHandle (hObject=0x18c) returned 1 [0037.938] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0037.938] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.938] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.939] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.939] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.939] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.939] GetLastError () returned 0x0 [0037.939] ReadFile (in: hFile=0x18c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x5ac, lpOverlapped=0x0) returned 1 [0037.956] WriteFile (in: hFile=0x184, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0037.957] ReadFile (in: hFile=0x18c, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.957] WriteFile (in: hFile=0x184, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.957] SetEndOfFile (hFile=0x184) returned 1 [0037.957] CloseHandle (hObject=0x184) returned 1 [0037.958] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.958] SetEndOfFile (hFile=0x18c) returned 1 [0037.959] CloseHandle (hObject=0x18c) returned 1 [0037.959] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0037.959] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0037.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.960] lstrlenW (lpString=".doc") returned 4 [0037.960] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString=".docx") returned 5 [0037.960] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.960] lstrlenW (lpString=".pdf") returned 4 [0037.960] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString=".xls") returned 4 [0037.960] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString=".xlsx") returned 5 [0037.960] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.960] lstrlenW (lpString=".ppt") returned 4 [0037.960] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.960] lstrlenW (lpString=".zip") returned 4 [0037.960] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.960] lstrlenW (lpString=".rar") returned 4 [0037.960] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString=".bz2") returned 4 [0037.960] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString=".7z") returned 3 [0037.960] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.960] lstrlenW (lpString=".dbf") returned 4 [0037.960] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.960] lstrlenW (lpString=".1cd") returned 4 [0037.960] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.960] lstrlenW (lpString=".jpg") returned 4 [0037.960] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.960] lstrlenW (lpString=".doc") returned 4 [0037.960] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.960] lstrlenW (lpString=".docx") returned 5 [0037.960] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.961] lstrlenW (lpString=".pdf") returned 4 [0037.961] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.961] lstrlenW (lpString=".xls") returned 4 [0037.961] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.961] lstrlenW (lpString=".xlsx") returned 5 [0037.961] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.961] lstrlenW (lpString=".ppt") returned 4 [0037.961] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.961] lstrlenW (lpString=".zip") returned 4 [0037.961] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.961] lstrlenW (lpString=".rar") returned 4 [0037.961] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.961] lstrlenW (lpString=".bz2") returned 4 [0037.961] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.961] lstrlenW (lpString=".7z") returned 3 [0037.961] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.961] lstrlenW (lpString=".dbf") returned 4 [0037.961] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.961] lstrlenW (lpString=".1cd") returned 4 [0037.961] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0037.961] lstrlenW (lpString=".jpg") returned 4 [0037.961] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.961] Sleep (dwMilliseconds=0x64) [0038.071] Sleep (dwMilliseconds=0x64) [0038.180] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0038.180] lstrlenW (lpString="OfficeMUISet.xml") returned 16 [0038.180] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0038.180] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=819) returned 1 [0038.180] CloseHandle (hObject=0x194) returned 1 [0038.181] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 0x2020 [0038.181] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.181] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0038.181] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0038.181] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0038.181] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0040.464] GetLastError () returned 0x0 [0040.464] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x333, lpOverlapped=0x0) returned 1 [0040.466] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x340, lpOverlapped=0x0) returned 1 [0040.467] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.467] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf4, lpOverlapped=0x0) returned 1 [0040.467] SetEndOfFile (hFile=0x1e0) returned 1 [0040.467] CloseHandle (hObject=0x1e0) returned 1 [0040.468] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.468] SetEndOfFile (hFile=0x194) returned 1 [0040.469] CloseHandle (hObject=0x194) returned 1 [0040.469] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.469] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0040.469] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.469] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.469] lstrlenW (lpString=".doc") returned 4 [0040.469] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.469] lstrlenW (lpString=".docx") returned 5 [0040.470] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0040.470] lstrlenW (lpString=".pdf") returned 4 [0040.470] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString=".xls") returned 4 [0040.470] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString=".xlsx") returned 5 [0040.470] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0040.470] lstrlenW (lpString=".ppt") returned 4 [0040.470] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.470] lstrlenW (lpString=".zip") returned 4 [0040.470] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.470] lstrlenW (lpString=".rar") returned 4 [0040.470] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString=".bz2") returned 4 [0040.470] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString=".7z") returned 3 [0040.470] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.470] lstrlenW (lpString=".dbf") returned 4 [0040.470] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.470] lstrlenW (lpString=".1cd") returned 4 [0040.470] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.470] lstrlenW (lpString=".jpg") returned 4 [0040.470] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.470] lstrlenW (lpString=".doc") returned 4 [0040.470] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.470] lstrlenW (lpString=".docx") returned 5 [0040.470] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0040.470] lstrlenW (lpString=".pdf") returned 4 [0040.471] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.471] lstrlenW (lpString=".xls") returned 4 [0040.471] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.471] lstrlenW (lpString=".xlsx") returned 5 [0040.471] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0040.471] lstrlenW (lpString=".ppt") returned 4 [0040.471] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.471] lstrlenW (lpString=".zip") returned 4 [0040.471] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.471] lstrlenW (lpString=".rar") returned 4 [0040.471] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.471] lstrlenW (lpString=".bz2") returned 4 [0040.471] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.471] lstrlenW (lpString=".7z") returned 3 [0040.471] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.471] lstrlenW (lpString=".dbf") returned 4 [0040.471] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.471] lstrlenW (lpString=".1cd") returned 4 [0040.471] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0040.471] lstrlenW (lpString=".jpg") returned 4 [0040.471] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.471] lstrcmpiW (lpString1=".chm", lpString2=".NcOv") returned -1 [0040.471] lstrlenW (lpString="setup.chm") returned 9 [0040.471] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.472] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=67190) returned 1 [0040.472] CloseHandle (hObject=0x194) returned 1 [0040.472] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 0x2020 [0040.472] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.472] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.472] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.472] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.472] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0040.472] GetLastError () returned 0x0 [0040.472] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x10676, lpOverlapped=0x0) returned 1 [0040.476] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x10680, lpOverlapped=0x0) returned 1 [0040.477] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.478] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.478] SetEndOfFile (hFile=0x1e0) returned 1 [0040.478] CloseHandle (hObject=0x1e0) returned 1 [0040.479] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.479] SetEndOfFile (hFile=0x194) returned 1 [0040.481] CloseHandle (hObject=0x194) returned 1 [0040.481] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.481] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 1 [0040.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.481] lstrlenW (lpString=".doc") returned 4 [0040.481] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0040.481] lstrlenW (lpString=".docx") returned 5 [0040.481] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0040.481] lstrlenW (lpString=".pdf") returned 4 [0040.481] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0040.481] lstrlenW (lpString=".xls") returned 4 [0040.481] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0040.481] lstrlenW (lpString=".xlsx") returned 5 [0040.481] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0040.481] lstrlenW (lpString=".ppt") returned 4 [0040.481] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0040.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.481] lstrlenW (lpString=".zip") returned 4 [0040.482] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString=".rar") returned 4 [0040.482] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString=".bz2") returned 4 [0040.482] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0040.482] lstrlenW (lpString=".7z") returned 3 [0040.482] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0040.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.482] lstrlenW (lpString=".dbf") returned 4 [0040.482] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.482] lstrlenW (lpString=".1cd") returned 4 [0040.482] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0040.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.482] lstrlenW (lpString=".jpg") returned 4 [0040.482] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.482] lstrlenW (lpString=".doc") returned 4 [0040.482] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString=".docx") returned 5 [0040.482] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0040.482] lstrlenW (lpString=".pdf") returned 4 [0040.482] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString=".xls") returned 4 [0040.482] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString=".xlsx") returned 5 [0040.482] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0040.482] lstrlenW (lpString=".ppt") returned 4 [0040.482] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.482] lstrlenW (lpString=".zip") returned 4 [0040.482] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0040.482] lstrlenW (lpString=".rar") returned 4 [0040.483] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0040.483] lstrlenW (lpString=".bz2") returned 4 [0040.483] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0040.483] lstrlenW (lpString=".7z") returned 3 [0040.483] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0040.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.483] lstrlenW (lpString=".dbf") returned 4 [0040.483] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0040.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.483] lstrlenW (lpString=".1cd") returned 4 [0040.483] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0040.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0040.483] lstrlenW (lpString=".jpg") returned 4 [0040.483] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0040.483] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.483] lstrlenW (lpString="Setup.xml") returned 9 [0040.483] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.483] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=9352) returned 1 [0040.483] CloseHandle (hObject=0x194) returned 1 [0040.484] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0040.484] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.484] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.484] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.484] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.484] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0040.484] GetLastError () returned 0x0 [0040.484] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x2488, lpOverlapped=0x0) returned 1 [0040.486] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x2490, lpOverlapped=0x0) returned 1 [0040.487] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.487] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.487] SetEndOfFile (hFile=0x1e0) returned 1 [0040.487] CloseHandle (hObject=0x1e0) returned 1 [0040.488] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.488] SetEndOfFile (hFile=0x194) returned 1 [0040.489] CloseHandle (hObject=0x194) returned 1 [0040.489] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.489] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.490] lstrlenW (lpString=".doc") returned 4 [0040.490] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.490] lstrlenW (lpString=".docx") returned 5 [0040.490] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0040.490] lstrlenW (lpString=".pdf") returned 4 [0040.490] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.490] lstrlenW (lpString=".xls") returned 4 [0040.490] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.490] lstrlenW (lpString=".xlsx") returned 5 [0040.490] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0040.490] lstrlenW (lpString=".ppt") returned 4 [0040.490] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.490] lstrlenW (lpString=".zip") returned 4 [0040.490] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.490] lstrlenW (lpString=".rar") returned 4 [0040.490] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.490] lstrlenW (lpString=".bz2") returned 4 [0040.490] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.490] lstrlenW (lpString=".7z") returned 3 [0040.490] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.490] lstrlenW (lpString=".dbf") returned 4 [0040.490] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.490] lstrlenW (lpString=".1cd") returned 4 [0040.490] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.490] lstrlenW (lpString=".jpg") returned 4 [0040.490] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.491] lstrlenW (lpString=".doc") returned 4 [0040.491] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString=".docx") returned 5 [0040.491] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0040.491] lstrlenW (lpString=".pdf") returned 4 [0040.491] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString=".xls") returned 4 [0040.491] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString=".xlsx") returned 5 [0040.491] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0040.491] lstrlenW (lpString=".ppt") returned 4 [0040.491] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.491] lstrlenW (lpString=".zip") returned 4 [0040.491] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.491] lstrlenW (lpString=".rar") returned 4 [0040.491] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString=".bz2") returned 4 [0040.491] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString=".7z") returned 3 [0040.491] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.491] lstrlenW (lpString=".dbf") returned 4 [0040.491] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.491] lstrlenW (lpString=".1cd") returned 4 [0040.491] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0040.491] lstrlenW (lpString=".jpg") returned 4 [0040.491] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.492] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.492] lstrlenW (lpString="AccessMUI.xml") returned 13 [0040.492] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.493] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1349) returned 1 [0040.493] CloseHandle (hObject=0x194) returned 1 [0040.493] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0x2020 [0040.493] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.493] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.494] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.494] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.494] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0040.494] GetLastError () returned 0x0 [0040.494] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x545, lpOverlapped=0x0) returned 1 [0040.496] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x550, lpOverlapped=0x0) returned 1 [0040.497] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.497] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.497] SetEndOfFile (hFile=0x1e0) returned 1 [0040.497] CloseHandle (hObject=0x1e0) returned 1 [0040.499] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.499] SetEndOfFile (hFile=0x194) returned 1 [0040.499] CloseHandle (hObject=0x194) returned 1 [0040.500] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.500] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0040.500] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.500] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.500] lstrlenW (lpString=".doc") returned 4 [0040.500] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.500] lstrlenW (lpString=".docx") returned 5 [0040.500] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0040.500] lstrlenW (lpString=".pdf") returned 4 [0040.500] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.500] lstrlenW (lpString=".xls") returned 4 [0040.500] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.500] lstrlenW (lpString=".xlsx") returned 5 [0040.500] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0040.500] lstrlenW (lpString=".ppt") returned 4 [0040.500] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.500] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.500] lstrlenW (lpString=".zip") returned 4 [0040.500] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.500] lstrlenW (lpString=".rar") returned 4 [0040.501] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString=".bz2") returned 4 [0040.501] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString=".7z") returned 3 [0040.501] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.501] lstrlenW (lpString=".dbf") returned 4 [0040.501] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.501] lstrlenW (lpString=".1cd") returned 4 [0040.501] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.501] lstrlenW (lpString=".jpg") returned 4 [0040.501] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.501] lstrlenW (lpString=".doc") returned 4 [0040.501] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString=".docx") returned 5 [0040.501] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0040.501] lstrlenW (lpString=".pdf") returned 4 [0040.501] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString=".xls") returned 4 [0040.501] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString=".xlsx") returned 5 [0040.501] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0040.501] lstrlenW (lpString=".ppt") returned 4 [0040.501] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.501] lstrlenW (lpString=".zip") returned 4 [0040.501] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.501] lstrlenW (lpString=".rar") returned 4 [0040.501] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.502] lstrlenW (lpString=".bz2") returned 4 [0040.502] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.502] lstrlenW (lpString=".7z") returned 3 [0040.502] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.502] lstrlenW (lpString=".dbf") returned 4 [0040.502] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.502] lstrlenW (lpString=".1cd") returned 4 [0040.502] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0040.502] lstrlenW (lpString=".jpg") returned 4 [0040.502] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.502] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.502] lstrlenW (lpString="branding.xml") returned 12 [0040.502] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.502] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=596341) returned 1 [0040.502] CloseHandle (hObject=0x194) returned 1 [0040.502] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0x2020 [0040.503] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.503] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.503] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.503] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.503] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0040.503] GetLastError () returned 0x0 [0040.503] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x91975, lpOverlapped=0x0) returned 1 [0040.940] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x91980, lpOverlapped=0x0) returned 1 [0040.952] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.952] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.952] SetEndOfFile (hFile=0x1e0) returned 1 [0040.952] CloseHandle (hObject=0x1e0) returned 1 [0040.957] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.957] SetEndOfFile (hFile=0x194) returned 1 [0040.963] CloseHandle (hObject=0x194) returned 1 [0040.963] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.963] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0040.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.963] lstrlenW (lpString=".doc") returned 4 [0040.963] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.963] lstrlenW (lpString=".docx") returned 5 [0040.963] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0040.963] lstrlenW (lpString=".pdf") returned 4 [0040.963] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.963] lstrlenW (lpString=".xls") returned 4 [0040.963] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString=".xlsx") returned 5 [0040.964] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0040.964] lstrlenW (lpString=".ppt") returned 4 [0040.964] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.964] lstrlenW (lpString=".zip") returned 4 [0040.964] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.964] lstrlenW (lpString=".rar") returned 4 [0040.964] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString=".bz2") returned 4 [0040.964] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString=".7z") returned 3 [0040.964] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.964] lstrlenW (lpString=".dbf") returned 4 [0040.964] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.964] lstrlenW (lpString=".1cd") returned 4 [0040.964] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.964] lstrlenW (lpString=".jpg") returned 4 [0040.964] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.964] lstrlenW (lpString=".doc") returned 4 [0040.964] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString=".docx") returned 5 [0040.964] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0040.964] lstrlenW (lpString=".pdf") returned 4 [0040.964] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString=".xls") returned 4 [0040.964] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.964] lstrlenW (lpString=".xlsx") returned 5 [0040.964] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0040.964] lstrlenW (lpString=".ppt") returned 4 [0040.965] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.965] lstrlenW (lpString=".zip") returned 4 [0040.965] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.965] lstrlenW (lpString=".rar") returned 4 [0040.965] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.965] lstrlenW (lpString=".bz2") returned 4 [0040.965] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.965] lstrlenW (lpString=".7z") returned 3 [0040.965] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.965] lstrlenW (lpString=".dbf") returned 4 [0040.965] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.965] lstrlenW (lpString=".1cd") returned 4 [0040.965] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0040.965] lstrlenW (lpString=".jpg") returned 4 [0040.965] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.965] lstrcmpiW (lpString1=".xml", lpString2=".NcOv") returned 1 [0040.965] lstrlenW (lpString="Office32WW.xml") returned 14 [0040.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.966] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=4274) returned 1 [0040.966] CloseHandle (hObject=0x194) returned 1 [0040.966] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0040.966] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.966] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0040.966] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.967] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.967] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0040.967] GetLastError () returned 0x0 [0040.967] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x10b2, lpOverlapped=0x0) returned 1 [0041.418] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0041.419] ReadFile (in: hFile=0x194, lpBuffer=0x3820020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.419] WriteFile (in: hFile=0x1e0, lpBuffer=0x3820020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3820020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0041.419] SetEndOfFile (hFile=0x1e0) returned 1 [0041.419] CloseHandle (hObject=0x1e0) returned 1 [0041.420] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.420] SetEndOfFile (hFile=0x194) returned 1 [0041.421] CloseHandle (hObject=0x194) returned 1 [0041.421] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.422] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0041.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.422] lstrlenW (lpString=".doc") returned 4 [0041.422] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.422] lstrlenW (lpString=".docx") returned 5 [0041.422] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.422] lstrlenW (lpString=".pdf") returned 4 [0041.422] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.422] lstrlenW (lpString=".xls") returned 4 [0041.422] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.422] lstrlenW (lpString=".xlsx") returned 5 [0041.422] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.422] lstrlenW (lpString=".ppt") returned 4 [0041.422] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.422] lstrlenW (lpString=".zip") returned 4 [0041.422] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.422] lstrlenW (lpString=".rar") returned 4 [0041.422] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.422] lstrlenW (lpString=".bz2") returned 4 [0041.422] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.422] lstrlenW (lpString=".7z") returned 3 [0041.422] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.422] lstrlenW (lpString=".dbf") returned 4 [0041.422] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.423] lstrlenW (lpString=".1cd") returned 4 [0041.423] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.423] lstrlenW (lpString=".jpg") returned 4 [0041.423] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.423] lstrlenW (lpString=".doc") returned 4 [0041.423] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString=".docx") returned 5 [0041.423] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0041.423] lstrlenW (lpString=".pdf") returned 4 [0041.423] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString=".xls") returned 4 [0041.423] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString=".xlsx") returned 5 [0041.423] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0041.423] lstrlenW (lpString=".ppt") returned 4 [0041.423] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.423] lstrlenW (lpString=".zip") returned 4 [0041.423] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0041.423] lstrlenW (lpString=".rar") returned 4 [0041.423] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString=".bz2") returned 4 [0041.423] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString=".7z") returned 3 [0041.423] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0041.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.423] lstrlenW (lpString=".dbf") returned 4 [0041.423] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0041.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.423] lstrlenW (lpString=".1cd") returned 4 [0041.423] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0041.424] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0041.424] lstrlenW (lpString=".jpg") returned 4 [0041.424] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0041.424] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0041.424] lstrlenW (lpString="boxed-correct.avi") returned 17 [0041.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0042.050] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=89600) returned 1 [0042.050] CloseHandle (hObject=0x194) returned 1 [0042.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0042.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.050] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.051] lstrlenW (lpString=".doc") returned 4 [0042.051] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.051] lstrlenW (lpString=".docx") returned 5 [0042.051] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0042.051] lstrlenW (lpString=".pdf") returned 4 [0042.051] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.051] lstrlenW (lpString=".xls") returned 4 [0042.051] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.051] lstrlenW (lpString=".xlsx") returned 5 [0042.051] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0042.051] lstrlenW (lpString=".ppt") returned 4 [0042.051] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.051] lstrlenW (lpString=".zip") returned 4 [0042.051] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.051] lstrlenW (lpString=".rar") returned 4 [0042.051] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.051] lstrlenW (lpString=".bz2") returned 4 [0042.051] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.051] lstrlenW (lpString=".7z") returned 3 [0042.051] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.051] lstrlenW (lpString=".dbf") returned 4 [0042.051] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.051] lstrlenW (lpString=".1cd") returned 4 [0042.051] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.051] lstrlenW (lpString=".jpg") returned 4 [0042.052] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.052] lstrlenW (lpString=".doc") returned 4 [0042.052] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString=".docx") returned 5 [0042.052] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0042.052] lstrlenW (lpString=".pdf") returned 4 [0042.052] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString=".xls") returned 4 [0042.052] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString=".xlsx") returned 5 [0042.052] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0042.052] lstrlenW (lpString=".ppt") returned 4 [0042.052] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.052] lstrlenW (lpString=".zip") returned 4 [0042.052] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString=".rar") returned 4 [0042.052] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString=".bz2") returned 4 [0042.052] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString=".7z") returned 3 [0042.052] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.052] lstrlenW (lpString=".dbf") returned 4 [0042.052] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.052] lstrlenW (lpString=".1cd") returned 4 [0042.052] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0042.052] lstrlenW (lpString=".jpg") returned 4 [0042.052] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.053] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0042.053] lstrlenW (lpString="correct.avi") returned 11 [0042.053] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0042.053] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=197120) returned 1 [0042.053] CloseHandle (hObject=0x194) returned 1 [0042.053] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0042.053] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.053] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.053] lstrlenW (lpString=".doc") returned 4 [0042.053] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.053] lstrlenW (lpString=".docx") returned 5 [0042.053] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0042.053] lstrlenW (lpString=".pdf") returned 4 [0042.053] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.053] lstrlenW (lpString=".xls") returned 4 [0042.053] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString=".xlsx") returned 5 [0042.054] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0042.054] lstrlenW (lpString=".ppt") returned 4 [0042.054] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.054] lstrlenW (lpString=".zip") returned 4 [0042.054] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString=".rar") returned 4 [0042.054] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString=".bz2") returned 4 [0042.054] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString=".7z") returned 3 [0042.054] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.054] lstrlenW (lpString=".dbf") returned 4 [0042.054] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.054] lstrlenW (lpString=".1cd") returned 4 [0042.054] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.054] lstrlenW (lpString=".jpg") returned 4 [0042.054] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.054] lstrlenW (lpString=".doc") returned 4 [0042.054] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString=".docx") returned 5 [0042.054] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0042.054] lstrlenW (lpString=".pdf") returned 4 [0042.054] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString=".xls") returned 4 [0042.054] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.054] lstrlenW (lpString=".xlsx") returned 5 [0042.054] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0042.054] lstrlenW (lpString=".ppt") returned 4 [0042.055] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.055] lstrlenW (lpString=".zip") returned 4 [0042.055] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.055] lstrlenW (lpString=".rar") returned 4 [0042.055] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.055] lstrlenW (lpString=".bz2") returned 4 [0042.055] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.055] lstrlenW (lpString=".7z") returned 3 [0042.055] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.055] lstrlenW (lpString=".dbf") returned 4 [0042.055] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.055] lstrlenW (lpString=".1cd") returned 4 [0042.055] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0042.055] lstrlenW (lpString=".jpg") returned 4 [0042.055] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.055] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0042.055] lstrlenW (lpString="delete.avi") returned 10 [0042.055] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0042.056] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=224256) returned 1 [0042.056] CloseHandle (hObject=0x194) returned 1 [0042.056] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0042.056] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.056] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.056] lstrlenW (lpString=".doc") returned 4 [0042.056] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.056] lstrlenW (lpString=".docx") returned 5 [0042.056] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0042.057] lstrlenW (lpString=".pdf") returned 4 [0042.057] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString=".xls") returned 4 [0042.057] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString=".xlsx") returned 5 [0042.057] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0042.057] lstrlenW (lpString=".ppt") returned 4 [0042.057] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.057] lstrlenW (lpString=".zip") returned 4 [0042.057] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString=".rar") returned 4 [0042.057] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString=".bz2") returned 4 [0042.057] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString=".7z") returned 3 [0042.057] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.057] lstrlenW (lpString=".dbf") returned 4 [0042.057] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.057] lstrlenW (lpString=".1cd") returned 4 [0042.057] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.057] lstrlenW (lpString=".jpg") returned 4 [0042.057] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.057] lstrlenW (lpString=".doc") returned 4 [0042.057] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.057] lstrlenW (lpString=".docx") returned 5 [0042.057] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0042.057] lstrlenW (lpString=".pdf") returned 4 [0042.057] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.058] lstrlenW (lpString=".xls") returned 4 [0042.058] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.058] lstrlenW (lpString=".xlsx") returned 5 [0042.058] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0042.058] lstrlenW (lpString=".ppt") returned 4 [0042.058] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.058] lstrlenW (lpString=".zip") returned 4 [0042.058] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.058] lstrlenW (lpString=".rar") returned 4 [0042.058] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.058] lstrlenW (lpString=".bz2") returned 4 [0042.058] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.058] lstrlenW (lpString=".7z") returned 3 [0042.058] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.058] lstrlenW (lpString=".dbf") returned 4 [0042.058] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.058] lstrlenW (lpString=".1cd") returned 4 [0042.058] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0042.058] lstrlenW (lpString=".jpg") returned 4 [0042.058] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.058] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0042.058] lstrlenW (lpString="join.avi") returned 8 [0042.058] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0042.059] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=222208) returned 1 [0042.059] CloseHandle (hObject=0x194) returned 1 [0042.059] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0042.059] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.059] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.059] lstrlenW (lpString=".doc") returned 4 [0042.059] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.059] lstrlenW (lpString=".docx") returned 5 [0042.059] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0042.059] lstrlenW (lpString=".pdf") returned 4 [0042.059] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.059] lstrlenW (lpString=".xls") returned 4 [0042.059] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.059] lstrlenW (lpString=".xlsx") returned 5 [0042.059] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0042.059] lstrlenW (lpString=".ppt") returned 4 [0042.059] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.059] lstrlenW (lpString=".zip") returned 4 [0042.059] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.059] lstrlenW (lpString=".rar") returned 4 [0042.059] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString=".bz2") returned 4 [0042.060] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString=".7z") returned 3 [0042.060] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.060] lstrlenW (lpString=".dbf") returned 4 [0042.060] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.060] lstrlenW (lpString=".1cd") returned 4 [0042.060] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.060] lstrlenW (lpString=".jpg") returned 4 [0042.060] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.060] lstrlenW (lpString=".doc") returned 4 [0042.060] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString=".docx") returned 5 [0042.060] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0042.060] lstrlenW (lpString=".pdf") returned 4 [0042.060] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString=".xls") returned 4 [0042.060] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString=".xlsx") returned 5 [0042.060] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0042.060] lstrlenW (lpString=".ppt") returned 4 [0042.060] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.060] lstrlenW (lpString=".zip") returned 4 [0042.060] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString=".rar") returned 4 [0042.060] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString=".bz2") returned 4 [0042.060] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.060] lstrlenW (lpString=".7z") returned 3 [0042.061] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.061] lstrlenW (lpString=".dbf") returned 4 [0042.061] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.061] lstrlenW (lpString=".1cd") returned 4 [0042.061] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0042.061] lstrlenW (lpString=".jpg") returned 4 [0042.061] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.061] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0042.061] lstrlenW (lpString="split.avi") returned 9 [0042.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0042.061] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=194048) returned 1 [0042.061] CloseHandle (hObject=0x194) returned 1 [0042.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0042.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.062] lstrlenW (lpString=".doc") returned 4 [0042.062] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString=".docx") returned 5 [0042.062] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0042.062] lstrlenW (lpString=".pdf") returned 4 [0042.062] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString=".xls") returned 4 [0042.062] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString=".xlsx") returned 5 [0042.062] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0042.062] lstrlenW (lpString=".ppt") returned 4 [0042.062] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.062] lstrlenW (lpString=".zip") returned 4 [0042.062] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString=".rar") returned 4 [0042.062] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString=".bz2") returned 4 [0042.062] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString=".7z") returned 3 [0042.062] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.062] lstrlenW (lpString=".dbf") returned 4 [0042.062] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.062] lstrlenW (lpString=".1cd") returned 4 [0042.062] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.062] lstrlenW (lpString=".jpg") returned 4 [0042.062] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.062] lstrlenW (lpString=".doc") returned 4 [0042.062] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.063] lstrlenW (lpString=".docx") returned 5 [0042.063] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0042.063] lstrlenW (lpString=".pdf") returned 4 [0042.063] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.063] lstrlenW (lpString=".xls") returned 4 [0042.063] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.063] lstrlenW (lpString=".xlsx") returned 5 [0042.063] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0042.063] lstrlenW (lpString=".ppt") returned 4 [0042.063] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.063] lstrlenW (lpString=".zip") returned 4 [0042.063] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.063] lstrlenW (lpString=".rar") returned 4 [0042.063] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.063] lstrlenW (lpString=".bz2") returned 4 [0042.063] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.063] lstrlenW (lpString=".7z") returned 3 [0042.063] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.063] lstrlenW (lpString=".dbf") returned 4 [0042.063] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.063] lstrlenW (lpString=".1cd") returned 4 [0042.063] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0042.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0042.063] lstrlenW (lpString=".jpg") returned 4 [0042.063] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0042.063] lstrcmpiW (lpString1=".avi", lpString2=".NcOv") returned -1 [0042.063] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0042.063] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0042.064] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1600388) returned 1 [0042.064] CloseHandle (hObject=0x194) returned 1 [0042.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0042.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.065] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0042.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0042.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0042.065] lstrlenW (lpString=".doc") returned 4 [0042.065] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0042.065] lstrlenW (lpString=".docx") returned 5 [0042.065] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0042.065] lstrlenW (lpString=".pdf") returned 4 [0042.065] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0042.065] lstrlenW (lpString=".xls") returned 4 [0042.065] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0042.065] lstrlenW (lpString=".xlsx") returned 5 [0042.065] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0042.065] lstrlenW (lpString=".ppt") returned 4 [0042.065] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0042.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0042.065] lstrlenW (lpString=".zip") returned 4 [0042.065] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0042.065] lstrlenW (lpString=".rar") returned 4 [0042.065] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0042.065] lstrlenW (lpString=".bz2") returned 4 [0042.065] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0042.065] lstrlenW (lpString=".7z") returned 3 [0042.065] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0042.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0042.066] lstrlenW (lpString=".dbf") returned 4 [0042.066] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0042.069] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1434) returned 1 [0042.069] CloseHandle (hObject=0x1a0) returned 1 [0042.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0042.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.070] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.073] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=212) returned 1 [0042.073] CloseHandle (hObject=0x194) returned 1 [0042.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0042.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.074] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=384) returned 1 [0042.074] CloseHandle (hObject=0x194) returned 1 [0042.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0042.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.075] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1118) returned 1 [0042.075] CloseHandle (hObject=0x194) returned 1 [0042.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0042.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.076] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.076] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=392) returned 1 [0042.076] CloseHandle (hObject=0x194) returned 1 [0042.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml")) returned 0x20 [0042.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.076] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.077] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=727) returned 1 [0042.077] CloseHandle (hObject=0x194) returned 1 [0042.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml")) returned 0x20 [0042.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.077] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.079] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=3150) returned 1 [0042.079] CloseHandle (hObject=0x194) returned 1 [0042.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml")) returned 0x20 [0042.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.079] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.080] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=247) returned 1 [0042.080] CloseHandle (hObject=0x194) returned 1 [0042.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml")) returned 0x20 [0042.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.080] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.081] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=3161) returned 1 [0042.081] CloseHandle (hObject=0x194) returned 1 [0042.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml")) returned 0x20 [0042.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.081] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=3166) returned 1 [0042.081] CloseHandle (hObject=0x194) returned 1 [0042.082] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0042.082] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.082] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.082] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=738) returned 1 [0042.083] CloseHandle (hObject=0x194) returned 1 [0042.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml")) returned 0x20 [0042.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.083] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=804) returned 1 [0042.083] CloseHandle (hObject=0x194) returned 1 [0042.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml")) returned 0x20 [0042.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.084] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=488) returned 1 [0042.084] CloseHandle (hObject=0x194) returned 1 [0042.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml")) returned 0x20 [0042.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.085] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=617) returned 1 [0042.085] CloseHandle (hObject=0x194) returned 1 [0042.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml")) returned 0x20 [0042.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.086] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=16616) returned 1 [0042.086] CloseHandle (hObject=0x194) returned 1 [0042.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml")) returned 0x20 [0042.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.086] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=15097) returned 1 [0042.086] CloseHandle (hObject=0x194) returned 1 [0042.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml")) returned 0x20 [0042.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.848] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=9803) returned 1 [0042.848] CloseHandle (hObject=0x1c4) returned 1 [0042.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml")) returned 0x20 [0042.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff Thread: id = 13 os_tid = 0x55c [0036.661] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3730050 [0036.662] lstrlenW (lpString="C:") returned 2 [0036.662] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2eefd00 | out: lpFindFileData=0x2eefd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x5547c0 [0036.662] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0036.663] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0036.663] lstrlenW (lpString="$Recycle.Bin") returned 12 [0036.663] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0036.663] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3740058 [0036.663] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0036.663] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554800 [0036.664] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.664] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0036.664] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0036.664] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0036.664] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0036.664] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0036.664] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.664] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0036.665] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.665] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.665] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0036.665] lstrlenW (lpString="desktop.ini") returned 11 [0036.665] lstrlenW (lpString=".1cd") returned 4 [0036.665] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0036.665] lstrlenW (lpString=".3ds") returned 4 [0036.665] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0036.665] lstrlenW (lpString=".3fr") returned 4 [0036.665] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0036.665] lstrlenW (lpString=".3g2") returned 4 [0036.665] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0036.665] lstrlenW (lpString=".3gp") returned 4 [0036.665] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0036.665] lstrlenW (lpString=".7z") returned 3 [0036.665] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0036.665] lstrlenW (lpString=".accda") returned 6 [0036.665] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0036.665] lstrlenW (lpString=".accdb") returned 6 [0036.665] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0036.665] lstrlenW (lpString=".accdc") returned 6 [0036.666] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0036.666] lstrlenW (lpString=".accde") returned 6 [0036.666] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0036.666] lstrlenW (lpString=".accdt") returned 6 [0036.666] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0036.666] lstrlenW (lpString=".accdw") returned 6 [0036.666] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0036.666] lstrlenW (lpString=".adb") returned 4 [0036.666] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".adp") returned 4 [0036.666] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".ai") returned 3 [0036.666] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0036.666] lstrlenW (lpString=".ai3") returned 4 [0036.666] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".ai4") returned 4 [0036.666] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".ai5") returned 4 [0036.666] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".ai6") returned 4 [0036.666] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".ai7") returned 4 [0036.666] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".ai8") returned 4 [0036.666] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".anim") returned 5 [0036.666] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0036.666] lstrlenW (lpString=".arw") returned 4 [0036.666] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0036.666] lstrlenW (lpString=".as") returned 3 [0036.666] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0036.667] lstrlenW (lpString=".asa") returned 4 [0036.667] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0036.667] lstrlenW (lpString=".asc") returned 4 [0036.667] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0036.667] lstrlenW (lpString=".ascx") returned 5 [0036.667] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0036.667] lstrlenW (lpString=".asm") returned 4 [0036.667] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0036.667] lstrlenW (lpString=".asmx") returned 5 [0036.667] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0036.667] lstrlenW (lpString=".asp") returned 4 [0036.667] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".aspx") returned 5 [0036.668] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0036.668] lstrlenW (lpString=".asr") returned 4 [0036.668] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".asx") returned 4 [0036.668] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".avi") returned 4 [0036.668] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".avs") returned 4 [0036.668] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".backup") returned 7 [0036.668] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0036.668] lstrlenW (lpString=".bak") returned 4 [0036.668] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".bay") returned 4 [0036.668] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".bd") returned 3 [0036.668] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0036.668] lstrlenW (lpString=".bin") returned 4 [0036.668] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".bmp") returned 4 [0036.668] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".bz2") returned 4 [0036.668] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0036.668] lstrlenW (lpString=".c") returned 2 [0036.668] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0036.668] lstrlenW (lpString=".cdr") returned 4 [0036.669] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".cer") returned 4 [0036.669] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".cf") returned 3 [0036.669] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0036.669] lstrlenW (lpString=".cfc") returned 4 [0036.669] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".cfm") returned 4 [0036.669] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".cfml") returned 5 [0036.669] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0036.669] lstrlenW (lpString=".cfu") returned 4 [0036.669] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".chm") returned 4 [0036.669] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".cin") returned 4 [0036.669] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".class") returned 6 [0036.669] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0036.669] lstrlenW (lpString=".clx") returned 4 [0036.669] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".config") returned 7 [0036.669] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0036.669] lstrlenW (lpString=".cpp") returned 4 [0036.669] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".cr2") returned 4 [0036.669] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".crt") returned 4 [0036.669] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".crw") returned 4 [0036.669] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0036.669] lstrlenW (lpString=".cs") returned 3 [0036.670] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0036.670] lstrlenW (lpString=".css") returned 4 [0036.670] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".csv") returned 4 [0036.670] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".cub") returned 4 [0036.670] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dae") returned 4 [0036.670] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dat") returned 4 [0036.670] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".db") returned 3 [0036.670] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0036.670] lstrlenW (lpString=".dbf") returned 4 [0036.670] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dbx") returned 4 [0036.670] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dc3") returned 4 [0036.670] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dcm") returned 4 [0036.670] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dcr") returned 4 [0036.670] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".der") returned 4 [0036.670] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dib") returned 4 [0036.670] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dic") returned 4 [0036.670] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0036.670] lstrlenW (lpString=".dif") returned 4 [0036.670] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0036.671] lstrlenW (lpString=".divx") returned 5 [0036.671] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0036.671] lstrlenW (lpString=".djvu") returned 5 [0036.671] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0036.671] lstrlenW (lpString=".dng") returned 4 [0036.671] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0036.671] lstrlenW (lpString=".doc") returned 4 [0036.671] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0036.671] lstrlenW (lpString=".docm") returned 5 [0036.671] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0036.671] lstrlenW (lpString=".docx") returned 5 [0036.671] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0036.671] lstrlenW (lpString=".dot") returned 4 [0036.671] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0036.671] lstrlenW (lpString=".dotm") returned 5 [0036.671] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0036.671] lstrlenW (lpString=".dotx") returned 5 [0036.671] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0036.671] lstrlenW (lpString=".dpx") returned 4 [0036.671] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0036.671] lstrlenW (lpString=".dqy") returned 4 [0036.671] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0036.671] lstrlenW (lpString=".dsn") returned 4 [0036.671] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0036.671] lstrlenW (lpString=".dt") returned 3 [0036.671] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0036.671] lstrlenW (lpString=".dtd") returned 4 [0036.671] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0036.671] lstrlenW (lpString=".dwg") returned 4 [0036.671] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0036.672] lstrlenW (lpString=".dwt") returned 4 [0036.672] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0036.672] lstrlenW (lpString=".dx") returned 3 [0036.672] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0036.672] lstrlenW (lpString=".dxf") returned 4 [0036.672] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0036.672] lstrlenW (lpString=".edml") returned 5 [0036.672] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0036.672] lstrlenW (lpString=".efd") returned 4 [0036.672] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0036.672] lstrlenW (lpString=".elf") returned 4 [0036.672] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0036.672] lstrlenW (lpString=".emf") returned 4 [0036.672] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0036.672] lstrlenW (lpString=".emz") returned 4 [0036.672] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0036.672] lstrlenW (lpString=".epf") returned 4 [0036.672] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".eps") returned 4 [0036.673] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".epsf") returned 5 [0036.673] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0036.673] lstrlenW (lpString=".epsp") returned 5 [0036.673] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0036.673] lstrlenW (lpString=".erf") returned 4 [0036.673] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".exr") returned 4 [0036.673] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".f4v") returned 4 [0036.673] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".fido") returned 5 [0036.673] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0036.673] lstrlenW (lpString=".flm") returned 4 [0036.673] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".flv") returned 4 [0036.673] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".frm") returned 4 [0036.673] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".fxg") returned 4 [0036.673] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".geo") returned 4 [0036.673] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0036.673] lstrlenW (lpString=".gif") returned 4 [0036.674] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".grs") returned 4 [0036.674] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".gz") returned 3 [0036.674] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0036.674] lstrlenW (lpString=".h") returned 2 [0036.674] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0036.674] lstrlenW (lpString=".hdr") returned 4 [0036.674] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".hpp") returned 4 [0036.674] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".hta") returned 4 [0036.674] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".htc") returned 4 [0036.674] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".htm") returned 4 [0036.674] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".html") returned 5 [0036.674] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0036.674] lstrlenW (lpString=".icb") returned 4 [0036.674] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".ics") returned 4 [0036.674] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".iff") returned 4 [0036.674] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".inc") returned 4 [0036.674] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0036.674] lstrlenW (lpString=".indd") returned 5 [0036.674] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0036.674] lstrlenW (lpString=".ini") returned 4 [0036.674] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0036.674] lstrlenW (lpString="desktop.ini") returned 11 [0036.675] lstrlenW (lpString=".NcOv") returned 5 [0036.675] lstrcmpiW (lpString1=".NcOv", lpString2="p.ini") returned -1 [0036.675] lstrlenW (lpString="desktop.ini") returned 11 [0036.675] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0036.675] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0036.675] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0036.675] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0036.675] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0036.675] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="desktop.ini") returned 1 [0036.675] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0036.675] lstrcmpiW (lpString1="winhost.exe", lpString2="desktop.ini") returned 1 [0036.675] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0036.675] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0036.675] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.675] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.675] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0036.675] FindClose (in: hFindFile=0x554800 | out: hFindFile=0x554800) returned 1 [0036.675] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3740058 | out: hHeap=0x500000) returned 1 [0036.675] FindNextFileW (in: hFindFile=0x5547c0, lpFindFileData=0x2eefd00 | out: lpFindFileData=0x2eefd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0036.676] lstrlenW (lpString="C:\\Boot") returned 7 [0036.676] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0036.676] lstrlenW (lpString="Boot") returned 4 [0036.676] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0036.676] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3740058 [0036.676] lstrlenW (lpString="C:\\Boot") returned 7 [0036.676] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554800 [0036.676] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.676] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0036.676] lstrlenW (lpString="BCD") returned 3 [0036.676] lstrlenW (lpString=".1cd") returned 4 [0036.676] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0036.676] lstrlenW (lpString=".3ds") returned 4 [0036.676] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0036.676] lstrlenW (lpString=".3fr") returned 4 [0036.676] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0036.676] lstrlenW (lpString=".3g2") returned 4 [0036.676] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0036.676] lstrlenW (lpString=".3gp") returned 4 [0036.677] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".7z") returned 3 [0036.677] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0036.677] lstrlenW (lpString=".accda") returned 6 [0036.677] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".accdb") returned 6 [0036.677] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".accdc") returned 6 [0036.677] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".accde") returned 6 [0036.677] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".accdt") returned 6 [0036.677] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".accdw") returned 6 [0036.677] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".adb") returned 4 [0036.677] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".adp") returned 4 [0036.677] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".ai") returned 3 [0036.677] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0036.677] lstrlenW (lpString=".ai3") returned 4 [0036.677] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".ai4") returned 4 [0036.677] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".ai5") returned 4 [0036.677] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0036.677] lstrlenW (lpString=".ai6") returned 4 [0036.677] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".ai7") returned 4 [0036.678] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".ai8") returned 4 [0036.678] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".anim") returned 5 [0036.678] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".arw") returned 4 [0036.678] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".as") returned 3 [0036.678] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0036.678] lstrlenW (lpString=".asa") returned 4 [0036.678] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".asc") returned 4 [0036.678] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".ascx") returned 5 [0036.678] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".asm") returned 4 [0036.678] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".asmx") returned 5 [0036.678] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".asp") returned 4 [0036.678] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".aspx") returned 5 [0036.678] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".asr") returned 4 [0036.678] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".asx") returned 4 [0036.678] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0036.678] lstrlenW (lpString=".avi") returned 4 [0036.678] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".avs") returned 4 [0036.679] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".backup") returned 7 [0036.679] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".bak") returned 4 [0036.679] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".bay") returned 4 [0036.679] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".bd") returned 3 [0036.679] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0036.679] lstrlenW (lpString=".bin") returned 4 [0036.679] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".bmp") returned 4 [0036.679] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".bz2") returned 4 [0036.679] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".c") returned 2 [0036.679] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0036.679] lstrlenW (lpString=".cdr") returned 4 [0036.679] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".cer") returned 4 [0036.679] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".cf") returned 3 [0036.679] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0036.679] lstrlenW (lpString=".cfc") returned 4 [0036.679] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".cfm") returned 4 [0036.679] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0036.679] lstrlenW (lpString=".cfml") returned 5 [0036.680] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".cfu") returned 4 [0036.680] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".chm") returned 4 [0036.680] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".cin") returned 4 [0036.680] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".class") returned 6 [0036.680] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".clx") returned 4 [0036.680] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".config") returned 7 [0036.680] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".cpp") returned 4 [0036.680] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".cr2") returned 4 [0036.680] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0036.680] lstrlenW (lpString=".crt") returned 4 [0036.680] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".crw") returned 4 [0036.681] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".cs") returned 3 [0036.681] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0036.681] lstrlenW (lpString=".css") returned 4 [0036.681] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".csv") returned 4 [0036.681] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".cub") returned 4 [0036.681] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dae") returned 4 [0036.681] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dat") returned 4 [0036.681] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".db") returned 3 [0036.681] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0036.681] lstrlenW (lpString=".dbf") returned 4 [0036.681] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dbx") returned 4 [0036.681] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dc3") returned 4 [0036.681] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dcm") returned 4 [0036.681] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dcr") returned 4 [0036.681] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".der") returned 4 [0036.681] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dib") returned 4 [0036.681] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dic") returned 4 [0036.681] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0036.681] lstrlenW (lpString=".dif") returned 4 [0036.682] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0036.682] lstrlenW (lpString=".divx") returned 5 [0036.682] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0036.682] lstrlenW (lpString=".djvu") returned 5 [0036.682] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0036.682] lstrlenW (lpString=".dng") returned 4 [0036.682] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0036.682] lstrlenW (lpString=".doc") returned 4 [0036.682] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0036.682] lstrlenW (lpString=".docm") returned 5 [0036.682] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0036.682] lstrlenW (lpString=".docx") returned 5 [0036.682] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0036.682] lstrlenW (lpString=".dot") returned 4 [0036.682] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0036.682] lstrlenW (lpString=".dotm") returned 5 [0036.682] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0036.683] lstrlenW (lpString=".dotx") returned 5 [0036.683] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0036.683] lstrlenW (lpString=".dpx") returned 4 [0036.683] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".dqy") returned 4 [0036.684] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".dsn") returned 4 [0036.684] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".dt") returned 3 [0036.684] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0036.684] lstrlenW (lpString=".dtd") returned 4 [0036.684] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".dwg") returned 4 [0036.684] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".dwt") returned 4 [0036.684] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".dx") returned 3 [0036.684] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0036.684] lstrlenW (lpString=".dxf") returned 4 [0036.684] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".edml") returned 5 [0036.684] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".efd") returned 4 [0036.684] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".elf") returned 4 [0036.684] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0036.684] lstrlenW (lpString=".emf") returned 4 [0036.685] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".emz") returned 4 [0036.685] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".epf") returned 4 [0036.685] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".eps") returned 4 [0036.685] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".epsf") returned 5 [0036.685] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".epsp") returned 5 [0036.685] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".erf") returned 4 [0036.685] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".exr") returned 4 [0036.685] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".f4v") returned 4 [0036.685] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0036.685] lstrlenW (lpString=".fido") returned 5 [0036.685] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0036.685] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.686] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.687] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.687] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.687] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.687] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.687] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0036.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.688] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.688] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.688] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.688] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.688] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.688] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0036.689] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.689] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.690] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.690] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.690] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.690] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.690] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0036.690] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.690] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.691] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.691] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.691] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.691] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.691] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0036.691] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.691] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.692] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.692] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.693] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.693] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.693] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0036.693] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.693] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.694] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.694] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.694] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.694] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.694] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0036.694] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.695] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.695] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.695] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.695] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.695] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0036.695] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.695] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.696] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.696] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0036.697] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.697] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.697] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0036.697] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.697] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.720] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.720] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.720] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.720] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.720] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0036.720] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.720] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.721] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.721] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.721] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.721] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.721] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0036.721] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.721] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.722] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.722] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.723] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.723] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.723] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0036.723] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.723] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.723] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.723] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.723] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.723] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.723] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0036.723] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.724] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.724] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.724] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.725] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.725] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.725] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0036.725] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.725] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.725] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.725] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.725] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.725] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.725] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0036.726] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.726] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.726] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.726] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.727] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.727] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.727] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0036.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.727] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.727] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.727] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.727] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.727] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.727] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0036.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.727] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.729] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.729] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.729] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.729] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.729] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0036.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.729] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.730] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.730] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.730] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.730] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.730] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0036.730] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.730] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.731] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.731] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.731] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.731] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.731] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0036.731] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.731] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.733] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.733] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.733] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.733] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.733] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0036.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.734] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.735] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.735] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.735] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.738] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.738] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0036.738] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.738] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.738] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.738] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.738] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.739] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.739] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0036.739] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.739] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.740] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.740] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.740] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.740] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.740] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0036.740] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.740] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.740] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.740] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0036.740] FindClose (in: hFindFile=0x554840 | out: hFindFile=0x554840) returned 1 [0036.741] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3750060 | out: hHeap=0x500000) returned 1 [0036.741] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0036.741] FindClose (in: hFindFile=0x554800 | out: hFindFile=0x554800) returned 1 [0036.741] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3740058 | out: hHeap=0x500000) returned 1 [0036.741] FindNextFileW (in: hFindFile=0x5547c0, lpFindFileData=0x2eefd00 | out: lpFindFileData=0x2eefd00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0036.741] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3740058 [0036.741] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554800 [0036.741] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.741] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0036.741] FindClose (in: hFindFile=0x554800 | out: hFindFile=0x554800) returned 1 [0036.741] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3740058 | out: hHeap=0x500000) returned 1 [0036.741] FindNextFileW (in: hFindFile=0x5547c0, lpFindFileData=0x2eefd00 | out: lpFindFileData=0x2eefd00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0036.741] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3740058 [0036.742] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="?T\x16")) returned 0xffffffff [0036.742] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3740058 | out: hHeap=0x500000) returned 1 [0036.742] FindNextFileW (in: hFindFile=0x5547c0, lpFindFileData=0x2eefd00 | out: lpFindFileData=0x2eefd00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0036.742] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3740058 [0036.742] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554800 [0036.742] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.742] FindNextFileW (in: hFindFile=0x554800, lpFindFileData=0x2eefa84 | out: lpFindFileData=0x2eefa84*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0036.742] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0036.743] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x554840 [0036.786] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.941] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0036.941] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3761070 [0036.946] FindNextFileW (in: hFindFile=0x55b0c0, lpFindFileData=0x2eef58c | out: lpFindFileData=0x2eef58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.946] FindNextFileW (in: hFindFile=0x55b0c0, lpFindFileData=0x2eef58c | out: lpFindFileData=0x2eef58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0037.233] FindClose (in: hFindFile=0x55b0c0 | out: hFindFile=0x55b0c0) returned 1 [0037.234] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3761070 | out: hHeap=0x500000) returned 1 [0037.234] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0037.769] FindNextFileW (in: hFindFile=0x55b0c0, lpFindFileData=0x2eef58c | out: lpFindFileData=0x2eef58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.769] FindNextFileW (in: hFindFile=0x55b0c0, lpFindFileData=0x2eef58c | out: lpFindFileData=0x2eef58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0038.075] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x38141b0 [0038.075] FindNextFileW (in: hFindFile=0x38141b0, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.075] FindNextFileW (in: hFindFile=0x38141b0, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0038.076] FindClose (in: hFindFile=0x38141b0 | out: hFindFile=0x38141b0) returned 1 [0038.076] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3ed1060 | out: hHeap=0x500000) returned 1 [0038.076] FindNextFileW (in: hFindFile=0x3814130, lpFindFileData=0x2eef58c | out: lpFindFileData=0x2eef58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0038.076] FindClose (in: hFindFile=0x3814130 | out: hFindFile=0x3814130) returned 1 [0038.076] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3761070 | out: hHeap=0x500000) returned 1 [0038.076] FindNextFileW (in: hFindFile=0x554840, lpFindFileData=0x2eef808 | out: lpFindFileData=0x2eef808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0039.635] FindClose (in: hFindFile=0x38142f0 | out: hFindFile=0x38142f0) returned 1 [0039.636] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3ef3080 | out: hHeap=0x500000) returned 1 [0039.636] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32.en-us", cAlternateFileName="OFFICE~2.EN-")) returned 1 [0039.636] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\*", lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x38142f0 [0039.695] FindNextFileW (in: hFindFile=0x38142f0, lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.695] FindNextFileW (in: hFindFile=0x38142f0, lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0039.696] FindClose (in: hFindFile=0x38142f0 | out: hFindFile=0x38142f0) returned 1 [0039.697] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3ef3080 | out: hHeap=0x500000) returned 1 [0039.697] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32.WW", cAlternateFileName="")) returned 1 [0039.697] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\*", lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x38143b0 [0040.567] FindNextFileW (in: hFindFile=0x38143b0, lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.567] FindNextFileW (in: hFindFile=0x38143b0, lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe09b760, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0041.196] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.198] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.198] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdad6ec00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdad6ec00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe58e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON.ELM", cAlternateFileName="")) returned 1 [0041.199] lstrlenW (lpString="AFTRNOON.ELM") returned 12 [0041.199] lstrlenW (lpString=".1cd") returned 4 [0041.199] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0041.199] lstrlenW (lpString=".3ds") returned 4 [0041.199] lstrcmpiW (lpString1=".3ds", lpString2=".ELM") returned -1 [0041.200] lstrlenW (lpString=".3fr") returned 4 [0041.200] lstrcmpiW (lpString1=".3fr", lpString2=".ELM") returned -1 [0041.200] lstrlenW (lpString=".3g2") returned 4 [0041.200] lstrcmpiW (lpString1=".3g2", lpString2=".ELM") returned -1 [0041.200] lstrlenW (lpString=".3gp") returned 4 [0041.200] lstrcmpiW (lpString1=".3gp", lpString2=".ELM") returned -1 [0041.200] lstrlenW (lpString=".7z") returned 3 [0041.200] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0041.200] lstrlenW (lpString=".accda") returned 6 [0041.200] lstrcmpiW (lpString1=".accda", lpString2="ON.ELM") returned -1 [0041.200] lstrlenW (lpString=".accdb") returned 6 [0041.200] lstrcmpiW (lpString1=".accdb", lpString2="ON.ELM") returned -1 [0041.200] lstrlenW (lpString=".accdc") returned 6 [0041.200] lstrcmpiW (lpString1=".accdc", lpString2="ON.ELM") returned -1 [0041.200] lstrlenW (lpString=".accde") returned 6 [0041.200] lstrcmpiW (lpString1=".accde", lpString2="ON.ELM") returned -1 [0041.200] lstrlenW (lpString=".accdt") returned 6 [0041.200] lstrcmpiW (lpString1=".accdt", lpString2="ON.ELM") returned -1 [0041.200] lstrlenW (lpString=".accdw") returned 6 [0041.200] lstrcmpiW (lpString1=".accdw", lpString2="ON.ELM") returned -1 [0041.200] lstrlenW (lpString=".adb") returned 4 [0041.200] lstrcmpiW (lpString1=".adb", lpString2=".ELM") returned -1 [0041.200] lstrlenW (lpString=".adp") returned 4 [0041.200] lstrcmpiW (lpString1=".adp", lpString2=".ELM") returned -1 [0041.200] lstrlenW (lpString=".ai") returned 3 [0041.200] lstrcmpiW (lpString1=".ai", lpString2="ELM") returned -1 [0041.201] lstrlenW (lpString=".ai3") returned 4 [0041.201] lstrcmpiW (lpString1=".ai3", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".ai4") returned 4 [0041.201] lstrcmpiW (lpString1=".ai4", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".ai5") returned 4 [0041.201] lstrcmpiW (lpString1=".ai5", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".ai6") returned 4 [0041.201] lstrcmpiW (lpString1=".ai6", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".ai7") returned 4 [0041.201] lstrcmpiW (lpString1=".ai7", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".ai8") returned 4 [0041.201] lstrcmpiW (lpString1=".ai8", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".anim") returned 5 [0041.201] lstrcmpiW (lpString1=".anim", lpString2="N.ELM") returned -1 [0041.201] lstrlenW (lpString=".arw") returned 4 [0041.201] lstrcmpiW (lpString1=".arw", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".as") returned 3 [0041.201] lstrcmpiW (lpString1=".as", lpString2="ELM") returned -1 [0041.201] lstrlenW (lpString=".asa") returned 4 [0041.201] lstrcmpiW (lpString1=".asa", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".asc") returned 4 [0041.201] lstrcmpiW (lpString1=".asc", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".ascx") returned 5 [0041.201] lstrcmpiW (lpString1=".ascx", lpString2="N.ELM") returned -1 [0041.201] lstrlenW (lpString=".asm") returned 4 [0041.201] lstrcmpiW (lpString1=".asm", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".asmx") returned 5 [0041.201] lstrcmpiW (lpString1=".asmx", lpString2="N.ELM") returned -1 [0041.201] lstrlenW (lpString=".asp") returned 4 [0041.201] lstrcmpiW (lpString1=".asp", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".aspx") returned 5 [0041.201] lstrcmpiW (lpString1=".aspx", lpString2="N.ELM") returned -1 [0041.201] lstrlenW (lpString=".asr") returned 4 [0041.201] lstrcmpiW (lpString1=".asr", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".asx") returned 4 [0041.201] lstrcmpiW (lpString1=".asx", lpString2=".ELM") returned -1 [0041.201] lstrlenW (lpString=".avi") returned 4 [0041.202] lstrcmpiW (lpString1=".avi", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".avs") returned 4 [0041.202] lstrcmpiW (lpString1=".avs", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".backup") returned 7 [0041.202] lstrcmpiW (lpString1=".backup", lpString2="OON.ELM") returned -1 [0041.202] lstrlenW (lpString=".bak") returned 4 [0041.202] lstrcmpiW (lpString1=".bak", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".bay") returned 4 [0041.202] lstrcmpiW (lpString1=".bay", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".bd") returned 3 [0041.202] lstrcmpiW (lpString1=".bd", lpString2="ELM") returned -1 [0041.202] lstrlenW (lpString=".bin") returned 4 [0041.202] lstrcmpiW (lpString1=".bin", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".bmp") returned 4 [0041.202] lstrcmpiW (lpString1=".bmp", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".bz2") returned 4 [0041.202] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".c") returned 2 [0041.202] lstrcmpiW (lpString1=".c", lpString2="LM") returned -1 [0041.202] lstrlenW (lpString=".cdr") returned 4 [0041.202] lstrcmpiW (lpString1=".cdr", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".cer") returned 4 [0041.202] lstrcmpiW (lpString1=".cer", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".cf") returned 3 [0041.202] lstrcmpiW (lpString1=".cf", lpString2="ELM") returned -1 [0041.202] lstrlenW (lpString=".cfc") returned 4 [0041.202] lstrcmpiW (lpString1=".cfc", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".cfm") returned 4 [0041.202] lstrcmpiW (lpString1=".cfm", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".cfml") returned 5 [0041.202] lstrcmpiW (lpString1=".cfml", lpString2="N.ELM") returned -1 [0041.202] lstrlenW (lpString=".cfu") returned 4 [0041.202] lstrcmpiW (lpString1=".cfu", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".chm") returned 4 [0041.202] lstrcmpiW (lpString1=".chm", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".cin") returned 4 [0041.202] lstrcmpiW (lpString1=".cin", lpString2=".ELM") returned -1 [0041.202] lstrlenW (lpString=".class") returned 6 [0041.203] lstrcmpiW (lpString1=".class", lpString2="ON.ELM") returned -1 [0041.203] lstrlenW (lpString=".clx") returned 4 [0041.203] lstrcmpiW (lpString1=".clx", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".config") returned 7 [0041.203] lstrcmpiW (lpString1=".config", lpString2="OON.ELM") returned -1 [0041.203] lstrlenW (lpString=".cpp") returned 4 [0041.203] lstrcmpiW (lpString1=".cpp", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".cr2") returned 4 [0041.203] lstrcmpiW (lpString1=".cr2", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".crt") returned 4 [0041.203] lstrcmpiW (lpString1=".crt", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".crw") returned 4 [0041.203] lstrcmpiW (lpString1=".crw", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".cs") returned 3 [0041.203] lstrcmpiW (lpString1=".cs", lpString2="ELM") returned -1 [0041.203] lstrlenW (lpString=".css") returned 4 [0041.203] lstrcmpiW (lpString1=".css", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".csv") returned 4 [0041.203] lstrcmpiW (lpString1=".csv", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".cub") returned 4 [0041.203] lstrcmpiW (lpString1=".cub", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".dae") returned 4 [0041.203] lstrcmpiW (lpString1=".dae", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".dat") returned 4 [0041.203] lstrcmpiW (lpString1=".dat", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".db") returned 3 [0041.203] lstrcmpiW (lpString1=".db", lpString2="ELM") returned -1 [0041.203] lstrlenW (lpString=".dbf") returned 4 [0041.203] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".dbx") returned 4 [0041.203] lstrcmpiW (lpString1=".dbx", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".dc3") returned 4 [0041.203] lstrcmpiW (lpString1=".dc3", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".dcm") returned 4 [0041.203] lstrcmpiW (lpString1=".dcm", lpString2=".ELM") returned -1 [0041.203] lstrlenW (lpString=".dcr") returned 4 [0041.203] lstrcmpiW (lpString1=".dcr", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".der") returned 4 [0041.204] lstrcmpiW (lpString1=".der", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dib") returned 4 [0041.204] lstrcmpiW (lpString1=".dib", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dic") returned 4 [0041.204] lstrcmpiW (lpString1=".dic", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dif") returned 4 [0041.204] lstrcmpiW (lpString1=".dif", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".divx") returned 5 [0041.204] lstrcmpiW (lpString1=".divx", lpString2="N.ELM") returned -1 [0041.204] lstrlenW (lpString=".djvu") returned 5 [0041.204] lstrcmpiW (lpString1=".djvu", lpString2="N.ELM") returned -1 [0041.204] lstrlenW (lpString=".dng") returned 4 [0041.204] lstrcmpiW (lpString1=".dng", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".doc") returned 4 [0041.204] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".docm") returned 5 [0041.204] lstrcmpiW (lpString1=".docm", lpString2="N.ELM") returned -1 [0041.204] lstrlenW (lpString=".docx") returned 5 [0041.204] lstrcmpiW (lpString1=".docx", lpString2="N.ELM") returned -1 [0041.204] lstrlenW (lpString=".dot") returned 4 [0041.204] lstrcmpiW (lpString1=".dot", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dotm") returned 5 [0041.204] lstrcmpiW (lpString1=".dotm", lpString2="N.ELM") returned -1 [0041.204] lstrlenW (lpString=".dotx") returned 5 [0041.204] lstrcmpiW (lpString1=".dotx", lpString2="N.ELM") returned -1 [0041.204] lstrlenW (lpString=".dpx") returned 4 [0041.204] lstrcmpiW (lpString1=".dpx", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dqy") returned 4 [0041.204] lstrcmpiW (lpString1=".dqy", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dsn") returned 4 [0041.204] lstrcmpiW (lpString1=".dsn", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dt") returned 3 [0041.204] lstrcmpiW (lpString1=".dt", lpString2="ELM") returned -1 [0041.204] lstrlenW (lpString=".dtd") returned 4 [0041.204] lstrcmpiW (lpString1=".dtd", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dwg") returned 4 [0041.204] lstrcmpiW (lpString1=".dwg", lpString2=".ELM") returned -1 [0041.204] lstrlenW (lpString=".dwt") returned 4 [0041.205] lstrcmpiW (lpString1=".dwt", lpString2=".ELM") returned -1 [0041.205] lstrlenW (lpString=".dx") returned 3 [0041.205] lstrcmpiW (lpString1=".dx", lpString2="ELM") returned -1 [0041.205] lstrlenW (lpString=".dxf") returned 4 [0041.205] lstrcmpiW (lpString1=".dxf", lpString2=".ELM") returned -1 [0041.205] lstrlenW (lpString=".edml") returned 5 [0041.205] lstrcmpiW (lpString1=".edml", lpString2="N.ELM") returned -1 [0041.205] lstrlenW (lpString=".efd") returned 4 [0041.205] lstrcmpiW (lpString1=".efd", lpString2=".ELM") returned -1 [0041.205] lstrlenW (lpString=".elf") returned 4 [0041.205] lstrcmpiW (lpString1=".elf", lpString2=".ELM") returned -1 [0041.205] lstrlenW (lpString=".emf") returned 4 [0041.205] lstrcmpiW (lpString1=".emf", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".emz") returned 4 [0041.205] lstrcmpiW (lpString1=".emz", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".epf") returned 4 [0041.205] lstrcmpiW (lpString1=".epf", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".eps") returned 4 [0041.205] lstrcmpiW (lpString1=".eps", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".epsf") returned 5 [0041.205] lstrcmpiW (lpString1=".epsf", lpString2="N.ELM") returned -1 [0041.205] lstrlenW (lpString=".epsp") returned 5 [0041.205] lstrcmpiW (lpString1=".epsp", lpString2="N.ELM") returned -1 [0041.205] lstrlenW (lpString=".erf") returned 4 [0041.205] lstrcmpiW (lpString1=".erf", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".exr") returned 4 [0041.205] lstrcmpiW (lpString1=".exr", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".f4v") returned 4 [0041.205] lstrcmpiW (lpString1=".f4v", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".fido") returned 5 [0041.205] lstrcmpiW (lpString1=".fido", lpString2="N.ELM") returned -1 [0041.205] lstrlenW (lpString=".flm") returned 4 [0041.205] lstrcmpiW (lpString1=".flm", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".flv") returned 4 [0041.205] lstrcmpiW (lpString1=".flv", lpString2=".ELM") returned 1 [0041.205] lstrlenW (lpString=".frm") returned 4 [0041.205] lstrcmpiW (lpString1=".frm", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".fxg") returned 4 [0041.206] lstrcmpiW (lpString1=".fxg", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".geo") returned 4 [0041.206] lstrcmpiW (lpString1=".geo", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".gif") returned 4 [0041.206] lstrcmpiW (lpString1=".gif", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".grs") returned 4 [0041.206] lstrcmpiW (lpString1=".grs", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".gz") returned 3 [0041.206] lstrcmpiW (lpString1=".gz", lpString2="ELM") returned -1 [0041.206] lstrlenW (lpString=".h") returned 2 [0041.206] lstrcmpiW (lpString1=".h", lpString2="LM") returned -1 [0041.206] lstrlenW (lpString=".hdr") returned 4 [0041.206] lstrcmpiW (lpString1=".hdr", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".hpp") returned 4 [0041.206] lstrcmpiW (lpString1=".hpp", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".hta") returned 4 [0041.206] lstrcmpiW (lpString1=".hta", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".htc") returned 4 [0041.206] lstrcmpiW (lpString1=".htc", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".htm") returned 4 [0041.206] lstrcmpiW (lpString1=".htm", lpString2=".ELM") returned 1 [0041.206] lstrlenW (lpString=".html") returned 5 [0041.206] lstrcmpiW (lpString1=".html", lpString2="N.ELM") returned -1 [0041.206] lstrlenW (lpString=".icb") returned 4 [0041.206] lstrcmpiW (lpString1=".icb", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".ics") returned 4 [0041.207] lstrcmpiW (lpString1=".ics", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".iff") returned 4 [0041.207] lstrcmpiW (lpString1=".iff", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".inc") returned 4 [0041.207] lstrcmpiW (lpString1=".inc", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".indd") returned 5 [0041.207] lstrcmpiW (lpString1=".indd", lpString2="N.ELM") returned -1 [0041.207] lstrlenW (lpString=".ini") returned 4 [0041.207] lstrcmpiW (lpString1=".ini", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".iqy") returned 4 [0041.207] lstrcmpiW (lpString1=".iqy", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".j2c") returned 4 [0041.207] lstrcmpiW (lpString1=".j2c", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".j2k") returned 4 [0041.207] lstrcmpiW (lpString1=".j2k", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".java") returned 5 [0041.207] lstrcmpiW (lpString1=".java", lpString2="N.ELM") returned -1 [0041.207] lstrlenW (lpString=".jp2") returned 4 [0041.207] lstrcmpiW (lpString1=".jp2", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".jpc") returned 4 [0041.207] lstrcmpiW (lpString1=".jpc", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".jpe") returned 4 [0041.207] lstrcmpiW (lpString1=".jpe", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".jpeg") returned 5 [0041.207] lstrcmpiW (lpString1=".jpeg", lpString2="N.ELM") returned -1 [0041.207] lstrlenW (lpString=".jpf") returned 4 [0041.207] lstrcmpiW (lpString1=".jpf", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".jpg") returned 4 [0041.207] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".jpx") returned 4 [0041.207] lstrcmpiW (lpString1=".jpx", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".js") returned 3 [0041.207] lstrcmpiW (lpString1=".js", lpString2="ELM") returned -1 [0041.207] lstrlenW (lpString=".jsf") returned 4 [0041.207] lstrcmpiW (lpString1=".jsf", lpString2=".ELM") returned 1 [0041.207] lstrlenW (lpString=".json") returned 5 [0041.207] lstrcmpiW (lpString1=".json", lpString2="N.ELM") returned -1 [0041.208] lstrlenW (lpString=".jsp") returned 4 [0041.208] lstrcmpiW (lpString1=".jsp", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".kdc") returned 4 [0041.208] lstrcmpiW (lpString1=".kdc", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".kmz") returned 4 [0041.208] lstrcmpiW (lpString1=".kmz", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".kwm") returned 4 [0041.208] lstrcmpiW (lpString1=".kwm", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".lasso") returned 6 [0041.208] lstrcmpiW (lpString1=".lasso", lpString2="ON.ELM") returned -1 [0041.208] lstrlenW (lpString=".lbi") returned 4 [0041.208] lstrcmpiW (lpString1=".lbi", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".lgf") returned 4 [0041.208] lstrcmpiW (lpString1=".lgf", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".lgp") returned 4 [0041.208] lstrcmpiW (lpString1=".lgp", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".log") returned 4 [0041.208] lstrcmpiW (lpString1=".log", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".m1v") returned 4 [0041.208] lstrcmpiW (lpString1=".m1v", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".m4a") returned 4 [0041.208] lstrcmpiW (lpString1=".m4a", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".m4v") returned 4 [0041.208] lstrcmpiW (lpString1=".m4v", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".max") returned 4 [0041.208] lstrcmpiW (lpString1=".max", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".md") returned 3 [0041.208] lstrcmpiW (lpString1=".md", lpString2="ELM") returned -1 [0041.208] lstrlenW (lpString=".mda") returned 4 [0041.208] lstrcmpiW (lpString1=".mda", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".mdb") returned 4 [0041.208] lstrcmpiW (lpString1=".mdb", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".mde") returned 4 [0041.208] lstrcmpiW (lpString1=".mde", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".mdf") returned 4 [0041.208] lstrcmpiW (lpString1=".mdf", lpString2=".ELM") returned 1 [0041.208] lstrlenW (lpString=".mdw") returned 4 [0041.209] lstrcmpiW (lpString1=".mdw", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mef") returned 4 [0041.209] lstrcmpiW (lpString1=".mef", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mft") returned 4 [0041.209] lstrcmpiW (lpString1=".mft", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mfw") returned 4 [0041.209] lstrcmpiW (lpString1=".mfw", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mht") returned 4 [0041.209] lstrcmpiW (lpString1=".mht", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mhtml") returned 6 [0041.209] lstrcmpiW (lpString1=".mhtml", lpString2="ON.ELM") returned -1 [0041.209] lstrlenW (lpString=".mka") returned 4 [0041.209] lstrcmpiW (lpString1=".mka", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mkidx") returned 6 [0041.209] lstrcmpiW (lpString1=".mkidx", lpString2="ON.ELM") returned -1 [0041.209] lstrlenW (lpString=".mkv") returned 4 [0041.209] lstrcmpiW (lpString1=".mkv", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mos") returned 4 [0041.209] lstrcmpiW (lpString1=".mos", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mov") returned 4 [0041.209] lstrcmpiW (lpString1=".mov", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mp3") returned 4 [0041.209] lstrcmpiW (lpString1=".mp3", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mp4") returned 4 [0041.209] lstrcmpiW (lpString1=".mp4", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mpeg") returned 5 [0041.209] lstrcmpiW (lpString1=".mpeg", lpString2="N.ELM") returned -1 [0041.209] lstrlenW (lpString=".mpg") returned 4 [0041.209] lstrcmpiW (lpString1=".mpg", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mpv") returned 4 [0041.209] lstrcmpiW (lpString1=".mpv", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mrw") returned 4 [0041.209] lstrcmpiW (lpString1=".mrw", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".msg") returned 4 [0041.209] lstrcmpiW (lpString1=".msg", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".mxl") returned 4 [0041.209] lstrcmpiW (lpString1=".mxl", lpString2=".ELM") returned 1 [0041.209] lstrlenW (lpString=".myd") returned 4 [0041.210] lstrcmpiW (lpString1=".myd", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".myi") returned 4 [0041.210] lstrcmpiW (lpString1=".myi", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".nef") returned 4 [0041.210] lstrcmpiW (lpString1=".nef", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".nrw") returned 4 [0041.210] lstrcmpiW (lpString1=".nrw", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".obj") returned 4 [0041.210] lstrcmpiW (lpString1=".obj", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".odb") returned 4 [0041.210] lstrcmpiW (lpString1=".odb", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".odc") returned 4 [0041.210] lstrcmpiW (lpString1=".odc", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".odm") returned 4 [0041.210] lstrcmpiW (lpString1=".odm", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".odp") returned 4 [0041.210] lstrcmpiW (lpString1=".odp", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".ods") returned 4 [0041.210] lstrcmpiW (lpString1=".ods", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".oft") returned 4 [0041.210] lstrcmpiW (lpString1=".oft", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".one") returned 4 [0041.210] lstrcmpiW (lpString1=".one", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".onepkg") returned 7 [0041.210] lstrcmpiW (lpString1=".onepkg", lpString2="OON.ELM") returned -1 [0041.210] lstrlenW (lpString=".onetoc2") returned 8 [0041.210] lstrcmpiW (lpString1=".onetoc2", lpString2="NOON.ELM") returned -1 [0041.210] lstrlenW (lpString=".opt") returned 4 [0041.210] lstrcmpiW (lpString1=".opt", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".oqy") returned 4 [0041.210] lstrcmpiW (lpString1=".oqy", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".orf") returned 4 [0041.210] lstrcmpiW (lpString1=".orf", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".p12") returned 4 [0041.210] lstrcmpiW (lpString1=".p12", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".p7b") returned 4 [0041.210] lstrcmpiW (lpString1=".p7b", lpString2=".ELM") returned 1 [0041.210] lstrlenW (lpString=".p7c") returned 4 [0041.211] lstrcmpiW (lpString1=".p7c", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pam") returned 4 [0041.211] lstrcmpiW (lpString1=".pam", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pbm") returned 4 [0041.211] lstrcmpiW (lpString1=".pbm", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pct") returned 4 [0041.211] lstrcmpiW (lpString1=".pct", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pcx") returned 4 [0041.211] lstrcmpiW (lpString1=".pcx", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pdd") returned 4 [0041.211] lstrcmpiW (lpString1=".pdd", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pdf") returned 4 [0041.211] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pdp") returned 4 [0041.211] lstrcmpiW (lpString1=".pdp", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pef") returned 4 [0041.211] lstrcmpiW (lpString1=".pef", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pem") returned 4 [0041.211] lstrcmpiW (lpString1=".pem", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pff") returned 4 [0041.211] lstrcmpiW (lpString1=".pff", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pfm") returned 4 [0041.211] lstrcmpiW (lpString1=".pfm", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pfx") returned 4 [0041.211] lstrcmpiW (lpString1=".pfx", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".pgm") returned 4 [0041.211] lstrcmpiW (lpString1=".pgm", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".php") returned 4 [0041.211] lstrcmpiW (lpString1=".php", lpString2=".ELM") returned 1 [0041.211] lstrlenW (lpString=".php3") returned 5 [0041.211] lstrcmpiW (lpString1=".php3", lpString2="N.ELM") returned -1 [0041.211] lstrlenW (lpString=".php4") returned 5 [0041.211] lstrcmpiW (lpString1=".php4", lpString2="N.ELM") returned -1 [0041.211] lstrlenW (lpString=".php5") returned 5 [0041.211] lstrcmpiW (lpString1=".php5", lpString2="N.ELM") returned -1 [0041.211] lstrlenW (lpString=".phtml") returned 6 [0041.211] lstrcmpiW (lpString1=".phtml", lpString2="ON.ELM") returned -1 [0041.211] lstrlenW (lpString=".pict") returned 5 [0041.212] lstrcmpiW (lpString1=".pict", lpString2="N.ELM") returned -1 [0041.212] lstrlenW (lpString=".pl") returned 3 [0041.212] lstrcmpiW (lpString1=".pl", lpString2="ELM") returned -1 [0041.212] lstrlenW (lpString=".pls") returned 4 [0041.212] lstrcmpiW (lpString1=".pls", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".pm") returned 3 [0041.212] lstrcmpiW (lpString1=".pm", lpString2="ELM") returned -1 [0041.212] lstrlenW (lpString=".png") returned 4 [0041.212] lstrcmpiW (lpString1=".png", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".pnm") returned 4 [0041.212] lstrcmpiW (lpString1=".pnm", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".pot") returned 4 [0041.212] lstrcmpiW (lpString1=".pot", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".potm") returned 5 [0041.212] lstrcmpiW (lpString1=".potm", lpString2="N.ELM") returned -1 [0041.212] lstrlenW (lpString=".potx") returned 5 [0041.212] lstrcmpiW (lpString1=".potx", lpString2="N.ELM") returned -1 [0041.212] lstrlenW (lpString=".ppa") returned 4 [0041.212] lstrcmpiW (lpString1=".ppa", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".ppam") returned 5 [0041.212] lstrcmpiW (lpString1=".ppam", lpString2="N.ELM") returned -1 [0041.212] lstrlenW (lpString=".ppm") returned 4 [0041.212] lstrcmpiW (lpString1=".ppm", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".pps") returned 4 [0041.212] lstrcmpiW (lpString1=".pps", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".ppsm") returned 5 [0041.212] lstrcmpiW (lpString1=".ppsm", lpString2="N.ELM") returned -1 [0041.212] lstrlenW (lpString=".ppt") returned 4 [0041.212] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".pptm") returned 5 [0041.212] lstrcmpiW (lpString1=".pptm", lpString2="N.ELM") returned -1 [0041.212] lstrlenW (lpString=".pptx") returned 5 [0041.212] lstrcmpiW (lpString1=".pptx", lpString2="N.ELM") returned -1 [0041.212] lstrlenW (lpString=".prn") returned 4 [0041.212] lstrcmpiW (lpString1=".prn", lpString2=".ELM") returned 1 [0041.212] lstrlenW (lpString=".ps") returned 3 [0041.212] lstrcmpiW (lpString1=".ps", lpString2="ELM") returned -1 [0041.213] lstrlenW (lpString=".psb") returned 4 [0041.213] lstrcmpiW (lpString1=".psb", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".psd") returned 4 [0041.213] lstrcmpiW (lpString1=".psd", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".pst") returned 4 [0041.213] lstrcmpiW (lpString1=".pst", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".ptx") returned 4 [0041.213] lstrcmpiW (lpString1=".ptx", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".pub") returned 4 [0041.213] lstrcmpiW (lpString1=".pub", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".pwm") returned 4 [0041.213] lstrcmpiW (lpString1=".pwm", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".pxr") returned 4 [0041.213] lstrcmpiW (lpString1=".pxr", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".py") returned 3 [0041.213] lstrcmpiW (lpString1=".py", lpString2="ELM") returned -1 [0041.213] lstrlenW (lpString=".qt") returned 3 [0041.213] lstrcmpiW (lpString1=".qt", lpString2="ELM") returned -1 [0041.213] lstrlenW (lpString=".r3d") returned 4 [0041.213] lstrcmpiW (lpString1=".r3d", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".raf") returned 4 [0041.213] lstrcmpiW (lpString1=".raf", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".rar") returned 4 [0041.213] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0041.213] lstrlenW (lpString=".raw") returned 4 [0041.213] lstrcmpiW (lpString1=".raw", lpString2=".ELM") returned 1 [0041.213] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.214] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.214] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0041.214] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.215] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.215] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc081900, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdc081900, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10fc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC.ELM", cAlternateFileName="")) returned 1 [0041.215] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.215] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.215] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS", cAlternateFileName="")) returned 1 [0041.215] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.216] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.216] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd394600, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd394600, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x189be, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.ELM", cAlternateFileName="")) returned 1 [0041.217] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.217] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.217] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0041.217] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.218] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.218] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32f2700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe32f2700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10db7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS.ELM", cAlternateFileName="")) returned 1 [0041.218] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.218] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.218] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0041.218] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.218] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.218] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c2ae00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5f775610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe6c2ae00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xc2ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM.ELM", cAlternateFileName="")) returned 1 [0041.219] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.219] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.219] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0041.219] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.220] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.220] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3db00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7f3db00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xda86, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT.ELM", cAlternateFileName="")) returned 1 [0041.220] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.220] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.220] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0041.220] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.221] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.221] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9250800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe9250800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xeafa, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI.ELM", cAlternateFileName="")) returned 1 [0041.221] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.221] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.221] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0041.221] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.222] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.222] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea563500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a61ad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xea563500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1a537, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE.ELM", cAlternateFileName="")) returned 1 [0041.223] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.223] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.223] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CANYON", cAlternateFileName="")) returned 1 [0041.223] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.227] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.227] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb876200, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51c2ab50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeb876200, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec9, dwReserved0=0x0, dwReserved1=0x0, cFileName="CANYON.ELM", cAlternateFileName="")) returned 1 [0041.227] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.229] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.229] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0041.229] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.230] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.230] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb88f00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x603362b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xecb88f00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe1ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAPSULES.ELM", cAlternateFileName="")) returned 1 [0041.230] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.231] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.231] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0041.231] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.231] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.232] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede9bc00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51c50cb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xede9bc00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xba44, dwReserved0=0x0, dwReserved1=0x0, cFileName="CASCADE.ELM", cAlternateFileName="")) returned 1 [0041.232] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.232] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.232] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0041.232] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.233] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.233] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf17d4300, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x6041aaf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf17d4300, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xd613, dwReserved0=0x0, dwReserved1=0x0, cFileName="COMPASS.ELM", cAlternateFileName="")) returned 1 [0041.233] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.233] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.233] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0041.233] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.234] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.234] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2ae7000, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2ae7000, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb1d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="CONCRETE.ELM", cAlternateFileName="")) returned 1 [0041.234] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.234] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.234] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0041.234] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.235] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.235] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf641f700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf641f700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x116dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEEPBLUE.ELM", cAlternateFileName="")) returned 1 [0041.236] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.236] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.236] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECHO", cAlternateFileName="")) returned 1 [0041.236] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.237] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.237] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a45100, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf8a45100, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb0ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECHO.ELM", cAlternateFileName="")) returned 1 [0041.237] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.237] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.237] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0041.237] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.238] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.238] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d57e00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51eb22b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9d57e00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1cf31, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECLIPSE.ELM", cAlternateFileName="")) returned 1 [0041.238] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.238] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.238] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDGE", cAlternateFileName="")) returned 1 [0041.239] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.240] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.240] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb06ab00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51f70990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfb06ab00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb8f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDGE.ELM", cAlternateFileName="")) returned 1 [0041.240] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.240] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.240] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0041.240] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.569] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.569] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc37d800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x52008f10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc37d800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x12dee, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVRGREEN.ELM", cAlternateFileName="")) returned 1 [0041.573] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.573] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.573] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0041.579] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.579] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.579] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd690500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd690500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x19539, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPEDITN.ELM", cAlternateFileName="")) returned 1 [0041.602] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.602] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.603] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ICE", cAlternateFileName="")) returned 1 [0041.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE") returned 59 [0041.603] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE") returned 1 [0041.603] lstrlenW (lpString="ICE") returned 3 [0041.603] lstrcmpiW (lpString1="C:\\Windows", lpString2="ICE") returned -1 [0041.603] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3f2d0a0 [0041.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE") returned 59 [0041.603] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.603] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.603] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ee600, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35ee600, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x109d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ICE.ELM", cAlternateFileName="")) returned 1 [0041.603] lstrlenW (lpString="ICE.ELM") returned 7 [0041.603] lstrlenW (lpString=".1cd") returned 4 [0041.603] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0041.603] lstrlenW (lpString=".3ds") returned 4 [0041.603] lstrcmpiW (lpString1=".3ds", lpString2=".ELM") returned -1 [0041.604] lstrlenW (lpString=".3fr") returned 4 [0041.604] lstrcmpiW (lpString1=".3fr", lpString2=".ELM") returned -1 [0041.604] lstrlenW (lpString=".3g2") returned 4 [0041.604] lstrcmpiW (lpString1=".3g2", lpString2=".ELM") returned -1 [0041.604] lstrlenW (lpString=".3gp") returned 4 [0041.604] lstrcmpiW (lpString1=".3gp", lpString2=".ELM") returned -1 [0041.604] lstrlenW (lpString=".7z") returned 3 [0041.604] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0041.604] lstrlenW (lpString=".accda") returned 6 [0041.604] lstrcmpiW (lpString1=".accda", lpString2="CE.ELM") returned -1 [0041.604] lstrlenW (lpString=".accdb") returned 6 [0041.604] lstrcmpiW (lpString1=".accdb", lpString2="CE.ELM") returned -1 [0041.604] lstrlenW (lpString=".accdc") returned 6 [0041.604] lstrcmpiW (lpString1=".accdc", lpString2="CE.ELM") returned -1 [0041.604] lstrlenW (lpString=".accde") returned 6 [0041.604] lstrcmpiW (lpString1=".accde", lpString2="CE.ELM") returned -1 [0041.604] lstrlenW (lpString=".accdt") returned 6 [0041.604] lstrcmpiW (lpString1=".accdt", lpString2="CE.ELM") returned -1 [0041.604] lstrlenW (lpString=".accdw") returned 6 [0041.604] lstrcmpiW (lpString1=".accdw", lpString2="CE.ELM") returned -1 [0041.604] lstrlenW (lpString=".adb") returned 4 [0041.604] lstrcmpiW (lpString1=".adb", lpString2=".ELM") returned -1 [0041.604] lstrlenW (lpString=".adp") returned 4 [0041.604] lstrcmpiW (lpString1=".adp", lpString2=".ELM") returned -1 [0041.604] lstrlenW (lpString=".ai") returned 3 [0041.604] lstrcmpiW (lpString1=".ai", lpString2="ELM") returned -1 [0041.604] lstrlenW (lpString=".ai3") returned 4 [0041.604] lstrcmpiW (lpString1=".ai3", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".ai4") returned 4 [0041.605] lstrcmpiW (lpString1=".ai4", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".ai5") returned 4 [0041.605] lstrcmpiW (lpString1=".ai5", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".ai6") returned 4 [0041.605] lstrcmpiW (lpString1=".ai6", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".ai7") returned 4 [0041.605] lstrcmpiW (lpString1=".ai7", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".ai8") returned 4 [0041.605] lstrcmpiW (lpString1=".ai8", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".anim") returned 5 [0041.605] lstrcmpiW (lpString1=".anim", lpString2="E.ELM") returned -1 [0041.605] lstrlenW (lpString=".arw") returned 4 [0041.605] lstrcmpiW (lpString1=".arw", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".as") returned 3 [0041.605] lstrcmpiW (lpString1=".as", lpString2="ELM") returned -1 [0041.605] lstrlenW (lpString=".asa") returned 4 [0041.605] lstrcmpiW (lpString1=".asa", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".asc") returned 4 [0041.605] lstrcmpiW (lpString1=".asc", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".ascx") returned 5 [0041.605] lstrcmpiW (lpString1=".ascx", lpString2="E.ELM") returned -1 [0041.605] lstrlenW (lpString=".asm") returned 4 [0041.605] lstrcmpiW (lpString1=".asm", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".asmx") returned 5 [0041.605] lstrcmpiW (lpString1=".asmx", lpString2="E.ELM") returned -1 [0041.605] lstrlenW (lpString=".asp") returned 4 [0041.605] lstrcmpiW (lpString1=".asp", lpString2=".ELM") returned -1 [0041.605] lstrlenW (lpString=".aspx") returned 5 [0041.606] lstrcmpiW (lpString1=".aspx", lpString2="E.ELM") returned -1 [0041.606] lstrlenW (lpString=".asr") returned 4 [0041.606] lstrcmpiW (lpString1=".asr", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".asx") returned 4 [0041.606] lstrcmpiW (lpString1=".asx", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".avi") returned 4 [0041.606] lstrcmpiW (lpString1=".avi", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".avs") returned 4 [0041.606] lstrcmpiW (lpString1=".avs", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".backup") returned 7 [0041.606] lstrcmpiW (lpString1=".backup", lpString2="ICE.ELM") returned -1 [0041.606] lstrlenW (lpString=".bak") returned 4 [0041.606] lstrcmpiW (lpString1=".bak", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".bay") returned 4 [0041.606] lstrcmpiW (lpString1=".bay", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".bd") returned 3 [0041.606] lstrcmpiW (lpString1=".bd", lpString2="ELM") returned -1 [0041.606] lstrlenW (lpString=".bin") returned 4 [0041.606] lstrcmpiW (lpString1=".bin", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".bmp") returned 4 [0041.606] lstrcmpiW (lpString1=".bmp", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".bz2") returned 4 [0041.606] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".c") returned 2 [0041.606] lstrcmpiW (lpString1=".c", lpString2="LM") returned -1 [0041.606] lstrlenW (lpString=".cdr") returned 4 [0041.606] lstrcmpiW (lpString1=".cdr", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".cer") returned 4 [0041.606] lstrcmpiW (lpString1=".cer", lpString2=".ELM") returned -1 [0041.606] lstrlenW (lpString=".cf") returned 3 [0041.607] lstrcmpiW (lpString1=".cf", lpString2="ELM") returned -1 [0041.607] lstrlenW (lpString=".cfc") returned 4 [0041.607] lstrcmpiW (lpString1=".cfc", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".cfm") returned 4 [0041.607] lstrcmpiW (lpString1=".cfm", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".cfml") returned 5 [0041.607] lstrcmpiW (lpString1=".cfml", lpString2="E.ELM") returned -1 [0041.607] lstrlenW (lpString=".cfu") returned 4 [0041.607] lstrcmpiW (lpString1=".cfu", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".chm") returned 4 [0041.607] lstrcmpiW (lpString1=".chm", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".cin") returned 4 [0041.607] lstrcmpiW (lpString1=".cin", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".class") returned 6 [0041.607] lstrcmpiW (lpString1=".class", lpString2="CE.ELM") returned -1 [0041.607] lstrlenW (lpString=".clx") returned 4 [0041.607] lstrcmpiW (lpString1=".clx", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".config") returned 7 [0041.607] lstrcmpiW (lpString1=".config", lpString2="ICE.ELM") returned -1 [0041.607] lstrlenW (lpString=".cpp") returned 4 [0041.607] lstrcmpiW (lpString1=".cpp", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".cr2") returned 4 [0041.607] lstrcmpiW (lpString1=".cr2", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".crt") returned 4 [0041.607] lstrcmpiW (lpString1=".crt", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".crw") returned 4 [0041.607] lstrcmpiW (lpString1=".crw", lpString2=".ELM") returned -1 [0041.607] lstrlenW (lpString=".cs") returned 3 [0041.607] lstrcmpiW (lpString1=".cs", lpString2="ELM") returned -1 [0041.607] lstrlenW (lpString=".css") returned 4 [0041.607] lstrcmpiW (lpString1=".css", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".csv") returned 4 [0041.608] lstrcmpiW (lpString1=".csv", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".cub") returned 4 [0041.608] lstrcmpiW (lpString1=".cub", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dae") returned 4 [0041.608] lstrcmpiW (lpString1=".dae", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dat") returned 4 [0041.608] lstrcmpiW (lpString1=".dat", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".db") returned 3 [0041.608] lstrcmpiW (lpString1=".db", lpString2="ELM") returned -1 [0041.608] lstrlenW (lpString=".dbf") returned 4 [0041.608] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dbx") returned 4 [0041.608] lstrcmpiW (lpString1=".dbx", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dc3") returned 4 [0041.608] lstrcmpiW (lpString1=".dc3", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dcm") returned 4 [0041.608] lstrcmpiW (lpString1=".dcm", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dcr") returned 4 [0041.608] lstrcmpiW (lpString1=".dcr", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".der") returned 4 [0041.608] lstrcmpiW (lpString1=".der", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dib") returned 4 [0041.608] lstrcmpiW (lpString1=".dib", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dic") returned 4 [0041.608] lstrcmpiW (lpString1=".dic", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".dif") returned 4 [0041.608] lstrcmpiW (lpString1=".dif", lpString2=".ELM") returned -1 [0041.608] lstrlenW (lpString=".divx") returned 5 [0041.609] lstrcmpiW (lpString1=".divx", lpString2="E.ELM") returned -1 [0041.609] lstrlenW (lpString=".djvu") returned 5 [0041.609] lstrcmpiW (lpString1=".djvu", lpString2="E.ELM") returned -1 [0041.609] lstrlenW (lpString=".dng") returned 4 [0041.609] lstrcmpiW (lpString1=".dng", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".doc") returned 4 [0041.609] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".docm") returned 5 [0041.609] lstrcmpiW (lpString1=".docm", lpString2="E.ELM") returned -1 [0041.609] lstrlenW (lpString=".docx") returned 5 [0041.609] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0041.609] lstrlenW (lpString=".dot") returned 4 [0041.609] lstrcmpiW (lpString1=".dot", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".dotm") returned 5 [0041.609] lstrcmpiW (lpString1=".dotm", lpString2="E.ELM") returned -1 [0041.609] lstrlenW (lpString=".dotx") returned 5 [0041.609] lstrcmpiW (lpString1=".dotx", lpString2="E.ELM") returned -1 [0041.609] lstrlenW (lpString=".dpx") returned 4 [0041.609] lstrcmpiW (lpString1=".dpx", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".dqy") returned 4 [0041.609] lstrcmpiW (lpString1=".dqy", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".dsn") returned 4 [0041.609] lstrcmpiW (lpString1=".dsn", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".dt") returned 3 [0041.609] lstrcmpiW (lpString1=".dt", lpString2="ELM") returned -1 [0041.609] lstrlenW (lpString=".dtd") returned 4 [0041.609] lstrcmpiW (lpString1=".dtd", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".dwg") returned 4 [0041.609] lstrcmpiW (lpString1=".dwg", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".dwt") returned 4 [0041.609] lstrcmpiW (lpString1=".dwt", lpString2=".ELM") returned -1 [0041.609] lstrlenW (lpString=".dx") returned 3 [0041.610] lstrcmpiW (lpString1=".dx", lpString2="ELM") returned -1 [0041.610] lstrlenW (lpString=".dxf") returned 4 [0041.610] lstrcmpiW (lpString1=".dxf", lpString2=".ELM") returned -1 [0041.610] lstrlenW (lpString=".edml") returned 5 [0041.610] lstrcmpiW (lpString1=".edml", lpString2="E.ELM") returned -1 [0041.610] lstrlenW (lpString=".efd") returned 4 [0041.610] lstrcmpiW (lpString1=".efd", lpString2=".ELM") returned -1 [0041.610] lstrlenW (lpString=".elf") returned 4 [0041.610] lstrcmpiW (lpString1=".elf", lpString2=".ELM") returned -1 [0041.610] lstrlenW (lpString=".emf") returned 4 [0041.610] lstrcmpiW (lpString1=".emf", lpString2=".ELM") returned 1 [0041.610] lstrlenW (lpString=".emz") returned 4 [0041.610] lstrcmpiW (lpString1=".emz", lpString2=".ELM") returned 1 [0041.610] lstrlenW (lpString=".epf") returned 4 [0041.610] lstrcmpiW (lpString1=".epf", lpString2=".ELM") returned 1 [0041.610] lstrlenW (lpString=".eps") returned 4 [0041.610] lstrcmpiW (lpString1=".eps", lpString2=".ELM") returned 1 [0041.610] lstrlenW (lpString=".epsf") returned 5 [0041.610] lstrcmpiW (lpString1=".epsf", lpString2="E.ELM") returned -1 [0041.610] lstrlenW (lpString=".epsp") returned 5 [0041.610] lstrcmpiW (lpString1=".epsp", lpString2="E.ELM") returned -1 [0041.610] lstrlenW (lpString=".erf") returned 4 [0041.610] lstrcmpiW (lpString1=".erf", lpString2=".ELM") returned 1 [0041.610] lstrlenW (lpString=".exr") returned 4 [0041.610] lstrcmpiW (lpString1=".exr", lpString2=".ELM") returned 1 [0041.610] lstrlenW (lpString=".f4v") returned 4 [0041.610] lstrcmpiW (lpString1=".f4v", lpString2=".ELM") returned 1 [0041.610] lstrlenW (lpString=".fido") returned 5 [0041.610] lstrcmpiW (lpString1=".fido", lpString2="E.ELM") returned -1 [0041.610] lstrlenW (lpString=".flm") returned 4 [0041.610] lstrcmpiW (lpString1=".flm", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".flv") returned 4 [0041.611] lstrcmpiW (lpString1=".flv", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".frm") returned 4 [0041.611] lstrcmpiW (lpString1=".frm", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".fxg") returned 4 [0041.611] lstrcmpiW (lpString1=".fxg", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".geo") returned 4 [0041.611] lstrcmpiW (lpString1=".geo", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".gif") returned 4 [0041.611] lstrcmpiW (lpString1=".gif", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".grs") returned 4 [0041.611] lstrcmpiW (lpString1=".grs", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".gz") returned 3 [0041.611] lstrcmpiW (lpString1=".gz", lpString2="ELM") returned -1 [0041.611] lstrlenW (lpString=".h") returned 2 [0041.611] lstrcmpiW (lpString1=".h", lpString2="LM") returned -1 [0041.611] lstrlenW (lpString=".hdr") returned 4 [0041.611] lstrcmpiW (lpString1=".hdr", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".hpp") returned 4 [0041.611] lstrcmpiW (lpString1=".hpp", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".hta") returned 4 [0041.611] lstrcmpiW (lpString1=".hta", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".htc") returned 4 [0041.611] lstrcmpiW (lpString1=".htc", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".htm") returned 4 [0041.611] lstrcmpiW (lpString1=".htm", lpString2=".ELM") returned 1 [0041.611] lstrlenW (lpString=".html") returned 5 [0041.611] lstrcmpiW (lpString1=".html", lpString2="E.ELM") returned -1 [0041.611] lstrlenW (lpString=".icb") returned 4 [0041.611] lstrcmpiW (lpString1=".icb", lpString2=".ELM") returned 1 [0041.612] lstrlenW (lpString=".ics") returned 4 [0041.612] lstrcmpiW (lpString1=".ics", lpString2=".ELM") returned 1 [0041.612] lstrlenW (lpString=".iff") returned 4 [0041.612] lstrcmpiW (lpString1=".iff", lpString2=".ELM") returned 1 [0041.612] lstrlenW (lpString=".inc") returned 4 [0041.612] lstrcmpiW (lpString1=".inc", lpString2=".ELM") returned 1 [0041.612] lstrlenW (lpString=".indd") returned 5 [0041.612] lstrcmpiW (lpString1=".indd", lpString2="E.ELM") returned -1 [0041.612] lstrlenW (lpString=".ini") returned 4 [0041.612] lstrcmpiW (lpString1=".ini", lpString2=".ELM") returned 1 [0041.612] lstrlenW (lpString=".iqy") returned 4 [0041.612] lstrcmpiW (lpString1=".iqy", lpString2=".ELM") returned 1 [0041.612] lstrlenW (lpString=".j2c") returned 4 [0041.612] lstrcmpiW (lpString1=".j2c", lpString2=".ELM") returned 1 [0041.612] lstrlenW (lpString=".j2k") returned 4 [0041.612] lstrcmpiW (lpString1=".j2k", lpString2=".ELM") returned 1 [0041.612] lstrlenW (lpString=".java") returned 5 [0041.612] lstrcmpiW (lpString1=".java", lpString2="E.ELM") returned -1 [0041.613] lstrlenW (lpString=".jp2") returned 4 [0041.613] lstrcmpiW (lpString1=".jp2", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".jpc") returned 4 [0041.613] lstrcmpiW (lpString1=".jpc", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".jpe") returned 4 [0041.613] lstrcmpiW (lpString1=".jpe", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".jpeg") returned 5 [0041.613] lstrcmpiW (lpString1=".jpeg", lpString2="E.ELM") returned -1 [0041.613] lstrlenW (lpString=".jpf") returned 4 [0041.613] lstrcmpiW (lpString1=".jpf", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".jpg") returned 4 [0041.613] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".jpx") returned 4 [0041.613] lstrcmpiW (lpString1=".jpx", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".js") returned 3 [0041.613] lstrcmpiW (lpString1=".js", lpString2="ELM") returned -1 [0041.613] lstrlenW (lpString=".jsf") returned 4 [0041.613] lstrcmpiW (lpString1=".jsf", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".json") returned 5 [0041.613] lstrcmpiW (lpString1=".json", lpString2="E.ELM") returned -1 [0041.613] lstrlenW (lpString=".jsp") returned 4 [0041.613] lstrcmpiW (lpString1=".jsp", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".kdc") returned 4 [0041.613] lstrcmpiW (lpString1=".kdc", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".kmz") returned 4 [0041.613] lstrcmpiW (lpString1=".kmz", lpString2=".ELM") returned 1 [0041.613] lstrlenW (lpString=".kwm") returned 4 [0041.613] lstrcmpiW (lpString1=".kwm", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".lasso") returned 6 [0041.614] lstrcmpiW (lpString1=".lasso", lpString2="CE.ELM") returned -1 [0041.614] lstrlenW (lpString=".lbi") returned 4 [0041.614] lstrcmpiW (lpString1=".lbi", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".lgf") returned 4 [0041.614] lstrcmpiW (lpString1=".lgf", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".lgp") returned 4 [0041.614] lstrcmpiW (lpString1=".lgp", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".log") returned 4 [0041.614] lstrcmpiW (lpString1=".log", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".m1v") returned 4 [0041.614] lstrcmpiW (lpString1=".m1v", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".m4a") returned 4 [0041.614] lstrcmpiW (lpString1=".m4a", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".m4v") returned 4 [0041.614] lstrcmpiW (lpString1=".m4v", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".max") returned 4 [0041.614] lstrcmpiW (lpString1=".max", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".md") returned 3 [0041.614] lstrcmpiW (lpString1=".md", lpString2="ELM") returned -1 [0041.614] lstrlenW (lpString=".mda") returned 4 [0041.614] lstrcmpiW (lpString1=".mda", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".mdb") returned 4 [0041.614] lstrcmpiW (lpString1=".mdb", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".mde") returned 4 [0041.614] lstrcmpiW (lpString1=".mde", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".mdf") returned 4 [0041.614] lstrcmpiW (lpString1=".mdf", lpString2=".ELM") returned 1 [0041.614] lstrlenW (lpString=".mdw") returned 4 [0041.615] lstrcmpiW (lpString1=".mdw", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mef") returned 4 [0041.615] lstrcmpiW (lpString1=".mef", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mft") returned 4 [0041.615] lstrcmpiW (lpString1=".mft", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mfw") returned 4 [0041.615] lstrcmpiW (lpString1=".mfw", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mht") returned 4 [0041.615] lstrcmpiW (lpString1=".mht", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mhtml") returned 6 [0041.615] lstrcmpiW (lpString1=".mhtml", lpString2="CE.ELM") returned -1 [0041.615] lstrlenW (lpString=".mka") returned 4 [0041.615] lstrcmpiW (lpString1=".mka", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mkidx") returned 6 [0041.615] lstrcmpiW (lpString1=".mkidx", lpString2="CE.ELM") returned -1 [0041.615] lstrlenW (lpString=".mkv") returned 4 [0041.615] lstrcmpiW (lpString1=".mkv", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mos") returned 4 [0041.615] lstrcmpiW (lpString1=".mos", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mov") returned 4 [0041.615] lstrcmpiW (lpString1=".mov", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mp3") returned 4 [0041.615] lstrcmpiW (lpString1=".mp3", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mp4") returned 4 [0041.615] lstrcmpiW (lpString1=".mp4", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mpeg") returned 5 [0041.615] lstrcmpiW (lpString1=".mpeg", lpString2="E.ELM") returned -1 [0041.615] lstrlenW (lpString=".mpg") returned 4 [0041.615] lstrcmpiW (lpString1=".mpg", lpString2=".ELM") returned 1 [0041.615] lstrlenW (lpString=".mpv") returned 4 [0041.615] lstrcmpiW (lpString1=".mpv", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".mrw") returned 4 [0041.616] lstrcmpiW (lpString1=".mrw", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".msg") returned 4 [0041.616] lstrcmpiW (lpString1=".msg", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".mxl") returned 4 [0041.616] lstrcmpiW (lpString1=".mxl", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".myd") returned 4 [0041.616] lstrcmpiW (lpString1=".myd", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".myi") returned 4 [0041.616] lstrcmpiW (lpString1=".myi", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".nef") returned 4 [0041.616] lstrcmpiW (lpString1=".nef", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".nrw") returned 4 [0041.616] lstrcmpiW (lpString1=".nrw", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".obj") returned 4 [0041.616] lstrcmpiW (lpString1=".obj", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".odb") returned 4 [0041.616] lstrcmpiW (lpString1=".odb", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".odc") returned 4 [0041.616] lstrcmpiW (lpString1=".odc", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".odm") returned 4 [0041.616] lstrcmpiW (lpString1=".odm", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".odp") returned 4 [0041.616] lstrcmpiW (lpString1=".odp", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".ods") returned 4 [0041.616] lstrcmpiW (lpString1=".ods", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".oft") returned 4 [0041.616] lstrcmpiW (lpString1=".oft", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".one") returned 4 [0041.616] lstrcmpiW (lpString1=".one", lpString2=".ELM") returned 1 [0041.616] lstrlenW (lpString=".onepkg") returned 7 [0041.617] lstrcmpiW (lpString1=".onepkg", lpString2="ICE.ELM") returned -1 [0041.617] lstrlenW (lpString=".onetoc2") returned 8 [0041.617] lstrcmpiW (lpString1=".onetoc2", lpString2="") returned 1 [0041.617] lstrlenW (lpString=".opt") returned 4 [0041.617] lstrcmpiW (lpString1=".opt", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".oqy") returned 4 [0041.617] lstrcmpiW (lpString1=".oqy", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".orf") returned 4 [0041.617] lstrcmpiW (lpString1=".orf", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".p12") returned 4 [0041.617] lstrcmpiW (lpString1=".p12", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".p7b") returned 4 [0041.617] lstrcmpiW (lpString1=".p7b", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".p7c") returned 4 [0041.617] lstrcmpiW (lpString1=".p7c", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".pam") returned 4 [0041.617] lstrcmpiW (lpString1=".pam", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".pbm") returned 4 [0041.617] lstrcmpiW (lpString1=".pbm", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".pct") returned 4 [0041.617] lstrcmpiW (lpString1=".pct", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".pcx") returned 4 [0041.617] lstrcmpiW (lpString1=".pcx", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".pdd") returned 4 [0041.617] lstrcmpiW (lpString1=".pdd", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".pdf") returned 4 [0041.617] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0041.617] lstrlenW (lpString=".pdp") returned 4 [0041.617] lstrcmpiW (lpString1=".pdp", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".pef") returned 4 [0041.618] lstrcmpiW (lpString1=".pef", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".pem") returned 4 [0041.618] lstrcmpiW (lpString1=".pem", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".pff") returned 4 [0041.618] lstrcmpiW (lpString1=".pff", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".pfm") returned 4 [0041.618] lstrcmpiW (lpString1=".pfm", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".pfx") returned 4 [0041.618] lstrcmpiW (lpString1=".pfx", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".pgm") returned 4 [0041.618] lstrcmpiW (lpString1=".pgm", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".php") returned 4 [0041.618] lstrcmpiW (lpString1=".php", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".php3") returned 5 [0041.618] lstrcmpiW (lpString1=".php3", lpString2="E.ELM") returned -1 [0041.618] lstrlenW (lpString=".php4") returned 5 [0041.618] lstrcmpiW (lpString1=".php4", lpString2="E.ELM") returned -1 [0041.618] lstrlenW (lpString=".php5") returned 5 [0041.618] lstrcmpiW (lpString1=".php5", lpString2="E.ELM") returned -1 [0041.618] lstrlenW (lpString=".phtml") returned 6 [0041.618] lstrcmpiW (lpString1=".phtml", lpString2="CE.ELM") returned -1 [0041.618] lstrlenW (lpString=".pict") returned 5 [0041.618] lstrcmpiW (lpString1=".pict", lpString2="E.ELM") returned -1 [0041.618] lstrlenW (lpString=".pl") returned 3 [0041.618] lstrcmpiW (lpString1=".pl", lpString2="ELM") returned -1 [0041.618] lstrlenW (lpString=".pls") returned 4 [0041.618] lstrcmpiW (lpString1=".pls", lpString2=".ELM") returned 1 [0041.618] lstrlenW (lpString=".pm") returned 3 [0041.618] lstrcmpiW (lpString1=".pm", lpString2="ELM") returned -1 [0041.619] lstrlenW (lpString=".png") returned 4 [0041.619] lstrcmpiW (lpString1=".png", lpString2=".ELM") returned 1 [0041.619] lstrlenW (lpString=".pnm") returned 4 [0041.619] lstrcmpiW (lpString1=".pnm", lpString2=".ELM") returned 1 [0041.619] lstrlenW (lpString=".pot") returned 4 [0041.619] lstrcmpiW (lpString1=".pot", lpString2=".ELM") returned 1 [0041.619] lstrlenW (lpString=".potm") returned 5 [0041.619] lstrcmpiW (lpString1=".potm", lpString2="E.ELM") returned -1 [0041.619] lstrlenW (lpString=".potx") returned 5 [0041.619] lstrcmpiW (lpString1=".potx", lpString2="E.ELM") returned -1 [0041.619] lstrlenW (lpString=".ppa") returned 4 [0041.619] lstrcmpiW (lpString1=".ppa", lpString2=".ELM") returned 1 [0041.619] lstrlenW (lpString=".ppam") returned 5 [0041.619] lstrcmpiW (lpString1=".ppam", lpString2="E.ELM") returned -1 [0041.619] lstrlenW (lpString=".ppm") returned 4 [0041.619] lstrcmpiW (lpString1=".ppm", lpString2=".ELM") returned 1 [0041.619] lstrlenW (lpString=".pps") returned 4 [0041.619] lstrcmpiW (lpString1=".pps", lpString2=".ELM") returned 1 [0041.619] lstrlenW (lpString=".ppsm") returned 5 [0041.619] lstrcmpiW (lpString1=".ppsm", lpString2="E.ELM") returned -1 [0041.619] lstrlenW (lpString=".ppt") returned 4 [0041.619] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0041.619] lstrlenW (lpString=".pptm") returned 5 [0041.619] lstrcmpiW (lpString1=".pptm", lpString2="E.ELM") returned -1 [0041.619] lstrlenW (lpString=".pptx") returned 5 [0041.619] lstrcmpiW (lpString1=".pptx", lpString2="E.ELM") returned -1 [0041.619] lstrlenW (lpString=".prn") returned 4 [0041.619] lstrcmpiW (lpString1=".prn", lpString2=".ELM") returned 1 [0041.619] lstrlenW (lpString=".ps") returned 3 [0041.620] lstrcmpiW (lpString1=".ps", lpString2="ELM") returned -1 [0041.620] lstrlenW (lpString=".psb") returned 4 [0041.620] lstrcmpiW (lpString1=".psb", lpString2=".ELM") returned 1 [0041.620] lstrlenW (lpString=".psd") returned 4 [0041.620] lstrcmpiW (lpString1=".psd", lpString2=".ELM") returned 1 [0041.620] lstrlenW (lpString=".pst") returned 4 [0041.620] lstrcmpiW (lpString1=".pst", lpString2=".ELM") returned 1 [0041.620] lstrlenW (lpString=".ptx") returned 4 [0041.620] lstrcmpiW (lpString1=".ptx", lpString2=".ELM") returned 1 [0041.620] lstrlenW (lpString=".pub") returned 4 [0041.620] lstrcmpiW (lpString1=".pub", lpString2=".ELM") returned 1 [0041.620] lstrlenW (lpString=".pwm") returned 4 [0041.620] lstrcmpiW (lpString1=".pwm", lpString2=".ELM") returned 1 [0041.620] lstrlenW (lpString=".pxr") returned 4 [0041.620] lstrcmpiW (lpString1=".pxr", lpString2=".ELM") returned 1 [0041.620] lstrlenW (lpString=".py") returned 3 [0041.620] lstrcmpiW (lpString1=".py", lpString2="ELM") returned -1 [0041.620] lstrlenW (lpString=".qt") returned 3 [0041.620] lstrcmpiW (lpString1=".qt", lpString2="ELM") returned -1 [0041.620] lstrlenW (lpString=".r3d") returned 4 [0041.620] lstrcmpiW (lpString1=".r3d", lpString2=".ELM") returned 1 [0041.626] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.627] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.627] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDUST", cAlternateFileName="")) returned 1 [0041.627] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.630] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.630] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4901300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x539538d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4901300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x184e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDUST.ELM", cAlternateFileName="")) returned 1 [0041.630] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.631] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.631] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IRIS", cAlternateFileName="")) returned 1 [0041.631] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.631] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.631] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f26d00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f26d00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x1015d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IRIS.ELM", cAlternateFileName="")) returned 1 [0041.631] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.631] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.631] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0041.632] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.632] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.632] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239a00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8239a00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xba32, dwReserved0=0x0, dwReserved1=0x0, cFileName="JOURNAL.ELM", cAlternateFileName="")) returned 1 [0041.632] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.632] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.632] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0041.632] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.633] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.633] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x954c700, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x567e4730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x954c700, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe743, dwReserved0=0x0, dwReserved1=0x0, cFileName="LAYERS.ELM", cAlternateFileName="")) returned 1 [0041.633] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.633] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.633] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0041.633] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.633] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.634] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85f400, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa85f400, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe2ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="LEVEL.ELM", cAlternateFileName="")) returned 1 [0041.634] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.634] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.634] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0041.634] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.634] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.634] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x107bd500, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x107bd500, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xc649, dwReserved0=0x0, dwReserved1=0x0, cFileName="NETWORK.ELM", cAlternateFileName="")) returned 1 [0041.635] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x2d35, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0041.635] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0041.635] lstrlenW (lpString=".1cd") returned 4 [0041.635] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0041.635] lstrlenW (lpString=".3ds") returned 4 [0041.635] lstrcmpiW (lpString1=".3ds", lpString2=".PNG") returned -1 [0041.635] lstrlenW (lpString=".3fr") returned 4 [0041.635] lstrcmpiW (lpString1=".3fr", lpString2=".PNG") returned -1 [0041.635] lstrlenW (lpString=".3g2") returned 4 [0041.635] lstrcmpiW (lpString1=".3g2", lpString2=".PNG") returned -1 [0041.635] lstrlenW (lpString=".3gp") returned 4 [0041.635] lstrcmpiW (lpString1=".3gp", lpString2=".PNG") returned -1 [0041.635] lstrlenW (lpString=".7z") returned 3 [0041.635] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0041.635] lstrlenW (lpString=".accda") returned 6 [0041.635] lstrcmpiW (lpString1=".accda", lpString2="IL.PNG") returned -1 [0041.635] lstrlenW (lpString=".accdb") returned 6 [0041.635] lstrcmpiW (lpString1=".accdb", lpString2="IL.PNG") returned -1 [0041.636] lstrlenW (lpString=".accdc") returned 6 [0041.636] lstrcmpiW (lpString1=".accdc", lpString2="IL.PNG") returned -1 [0041.636] lstrlenW (lpString=".accde") returned 6 [0041.636] lstrcmpiW (lpString1=".accde", lpString2="IL.PNG") returned -1 [0041.636] lstrlenW (lpString=".accdt") returned 6 [0041.636] lstrcmpiW (lpString1=".accdt", lpString2="IL.PNG") returned -1 [0041.636] lstrlenW (lpString=".accdw") returned 6 [0041.636] lstrcmpiW (lpString1=".accdw", lpString2="IL.PNG") returned -1 [0041.636] lstrlenW (lpString=".adb") returned 4 [0041.636] lstrcmpiW (lpString1=".adb", lpString2=".PNG") returned -1 [0041.636] lstrlenW (lpString=".adp") returned 4 [0041.636] lstrcmpiW (lpString1=".adp", lpString2=".PNG") returned -1 [0041.636] lstrlenW (lpString=".ai") returned 3 [0041.636] lstrcmpiW (lpString1=".ai", lpString2="PNG") returned -1 [0041.636] lstrlenW (lpString=".ai3") returned 4 [0041.636] lstrcmpiW (lpString1=".ai3", lpString2=".PNG") returned -1 [0041.636] lstrlenW (lpString=".ai4") returned 4 [0041.636] lstrcmpiW (lpString1=".ai4", lpString2=".PNG") returned -1 [0041.636] lstrlenW (lpString=".ai5") returned 4 [0041.636] lstrcmpiW (lpString1=".ai5", lpString2=".PNG") returned -1 [0041.636] lstrlenW (lpString=".ai6") returned 4 [0041.636] lstrcmpiW (lpString1=".ai6", lpString2=".PNG") returned -1 [0041.636] lstrlenW (lpString=".ai7") returned 4 [0041.636] lstrcmpiW (lpString1=".ai7", lpString2=".PNG") returned -1 [0041.636] lstrlenW (lpString=".ai8") returned 4 [0041.636] lstrcmpiW (lpString1=".ai8", lpString2=".PNG") returned -1 [0041.636] lstrlenW (lpString=".anim") returned 5 [0041.636] lstrcmpiW (lpString1=".anim", lpString2="L.PNG") returned -1 [0041.636] lstrlenW (lpString=".arw") returned 4 [0041.636] lstrcmpiW (lpString1=".arw", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".as") returned 3 [0041.637] lstrcmpiW (lpString1=".as", lpString2="PNG") returned -1 [0041.637] lstrlenW (lpString=".asa") returned 4 [0041.637] lstrcmpiW (lpString1=".asa", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".asc") returned 4 [0041.637] lstrcmpiW (lpString1=".asc", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".ascx") returned 5 [0041.637] lstrcmpiW (lpString1=".ascx", lpString2="L.PNG") returned -1 [0041.637] lstrlenW (lpString=".asm") returned 4 [0041.637] lstrcmpiW (lpString1=".asm", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".asmx") returned 5 [0041.637] lstrcmpiW (lpString1=".asmx", lpString2="L.PNG") returned -1 [0041.637] lstrlenW (lpString=".asp") returned 4 [0041.637] lstrcmpiW (lpString1=".asp", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".aspx") returned 5 [0041.637] lstrcmpiW (lpString1=".aspx", lpString2="L.PNG") returned -1 [0041.637] lstrlenW (lpString=".asr") returned 4 [0041.637] lstrcmpiW (lpString1=".asr", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".asx") returned 4 [0041.637] lstrcmpiW (lpString1=".asx", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".avi") returned 4 [0041.637] lstrcmpiW (lpString1=".avi", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".avs") returned 4 [0041.637] lstrcmpiW (lpString1=".avs", lpString2=".PNG") returned -1 [0041.637] lstrlenW (lpString=".backup") returned 7 [0041.637] lstrcmpiW (lpString1=".backup", lpString2="AIL.PNG") returned -1 [0041.637] lstrlenW (lpString=".bak") returned 4 [0041.637] lstrcmpiW (lpString1=".bak", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".bay") returned 4 [0041.638] lstrcmpiW (lpString1=".bay", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".bd") returned 3 [0041.638] lstrcmpiW (lpString1=".bd", lpString2="PNG") returned -1 [0041.638] lstrlenW (lpString=".bin") returned 4 [0041.638] lstrcmpiW (lpString1=".bin", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".bmp") returned 4 [0041.638] lstrcmpiW (lpString1=".bmp", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".bz2") returned 4 [0041.638] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".c") returned 2 [0041.638] lstrcmpiW (lpString1=".c", lpString2="NG") returned -1 [0041.638] lstrlenW (lpString=".cdr") returned 4 [0041.638] lstrcmpiW (lpString1=".cdr", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".cer") returned 4 [0041.638] lstrcmpiW (lpString1=".cer", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".cf") returned 3 [0041.638] lstrcmpiW (lpString1=".cf", lpString2="PNG") returned -1 [0041.638] lstrlenW (lpString=".cfc") returned 4 [0041.638] lstrcmpiW (lpString1=".cfc", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".cfm") returned 4 [0041.638] lstrcmpiW (lpString1=".cfm", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".cfml") returned 5 [0041.638] lstrcmpiW (lpString1=".cfml", lpString2="L.PNG") returned -1 [0041.638] lstrlenW (lpString=".cfu") returned 4 [0041.638] lstrcmpiW (lpString1=".cfu", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".chm") returned 4 [0041.638] lstrcmpiW (lpString1=".chm", lpString2=".PNG") returned -1 [0041.638] lstrlenW (lpString=".cin") returned 4 [0041.639] lstrcmpiW (lpString1=".cin", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".class") returned 6 [0041.639] lstrcmpiW (lpString1=".class", lpString2="IL.PNG") returned -1 [0041.639] lstrlenW (lpString=".clx") returned 4 [0041.639] lstrcmpiW (lpString1=".clx", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".config") returned 7 [0041.639] lstrcmpiW (lpString1=".config", lpString2="AIL.PNG") returned -1 [0041.639] lstrlenW (lpString=".cpp") returned 4 [0041.639] lstrcmpiW (lpString1=".cpp", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".cr2") returned 4 [0041.639] lstrcmpiW (lpString1=".cr2", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".crt") returned 4 [0041.639] lstrcmpiW (lpString1=".crt", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".crw") returned 4 [0041.639] lstrcmpiW (lpString1=".crw", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".cs") returned 3 [0041.639] lstrcmpiW (lpString1=".cs", lpString2="PNG") returned -1 [0041.639] lstrlenW (lpString=".css") returned 4 [0041.639] lstrcmpiW (lpString1=".css", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".csv") returned 4 [0041.639] lstrcmpiW (lpString1=".csv", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".cub") returned 4 [0041.639] lstrcmpiW (lpString1=".cub", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".dae") returned 4 [0041.639] lstrcmpiW (lpString1=".dae", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".dat") returned 4 [0041.639] lstrcmpiW (lpString1=".dat", lpString2=".PNG") returned -1 [0041.639] lstrlenW (lpString=".db") returned 3 [0041.639] lstrcmpiW (lpString1=".db", lpString2="PNG") returned -1 [0041.639] lstrlenW (lpString=".dbf") returned 4 [0041.640] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".dbx") returned 4 [0041.640] lstrcmpiW (lpString1=".dbx", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".dc3") returned 4 [0041.640] lstrcmpiW (lpString1=".dc3", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".dcm") returned 4 [0041.640] lstrcmpiW (lpString1=".dcm", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".dcr") returned 4 [0041.640] lstrcmpiW (lpString1=".dcr", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".der") returned 4 [0041.640] lstrcmpiW (lpString1=".der", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".dib") returned 4 [0041.640] lstrcmpiW (lpString1=".dib", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".dic") returned 4 [0041.640] lstrcmpiW (lpString1=".dic", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".dif") returned 4 [0041.640] lstrcmpiW (lpString1=".dif", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".divx") returned 5 [0041.640] lstrcmpiW (lpString1=".divx", lpString2="L.PNG") returned -1 [0041.640] lstrlenW (lpString=".djvu") returned 5 [0041.640] lstrcmpiW (lpString1=".djvu", lpString2="L.PNG") returned -1 [0041.640] lstrlenW (lpString=".dng") returned 4 [0041.640] lstrcmpiW (lpString1=".dng", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".doc") returned 4 [0041.640] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0041.640] lstrlenW (lpString=".docm") returned 5 [0041.640] lstrcmpiW (lpString1=".docm", lpString2="L.PNG") returned -1 [0041.640] lstrlenW (lpString=".docx") returned 5 [0041.641] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0041.641] lstrlenW (lpString=".dot") returned 4 [0041.641] lstrcmpiW (lpString1=".dot", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".dotm") returned 5 [0041.641] lstrcmpiW (lpString1=".dotm", lpString2="L.PNG") returned -1 [0041.641] lstrlenW (lpString=".dotx") returned 5 [0041.641] lstrcmpiW (lpString1=".dotx", lpString2="L.PNG") returned -1 [0041.641] lstrlenW (lpString=".dpx") returned 4 [0041.641] lstrcmpiW (lpString1=".dpx", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".dqy") returned 4 [0041.641] lstrcmpiW (lpString1=".dqy", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".dsn") returned 4 [0041.641] lstrcmpiW (lpString1=".dsn", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".dt") returned 3 [0041.641] lstrcmpiW (lpString1=".dt", lpString2="PNG") returned -1 [0041.641] lstrlenW (lpString=".dtd") returned 4 [0041.641] lstrcmpiW (lpString1=".dtd", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".dwg") returned 4 [0041.641] lstrcmpiW (lpString1=".dwg", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".dwt") returned 4 [0041.641] lstrcmpiW (lpString1=".dwt", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".dx") returned 3 [0041.641] lstrcmpiW (lpString1=".dx", lpString2="PNG") returned -1 [0041.641] lstrlenW (lpString=".dxf") returned 4 [0041.641] lstrcmpiW (lpString1=".dxf", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".edml") returned 5 [0041.641] lstrcmpiW (lpString1=".edml", lpString2="L.PNG") returned -1 [0041.641] lstrlenW (lpString=".efd") returned 4 [0041.641] lstrcmpiW (lpString1=".efd", lpString2=".PNG") returned -1 [0041.641] lstrlenW (lpString=".elf") returned 4 [0041.641] lstrcmpiW (lpString1=".elf", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".emf") returned 4 [0041.642] lstrcmpiW (lpString1=".emf", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".emz") returned 4 [0041.642] lstrcmpiW (lpString1=".emz", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".epf") returned 4 [0041.642] lstrcmpiW (lpString1=".epf", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".eps") returned 4 [0041.642] lstrcmpiW (lpString1=".eps", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".epsf") returned 5 [0041.642] lstrcmpiW (lpString1=".epsf", lpString2="L.PNG") returned -1 [0041.642] lstrlenW (lpString=".epsp") returned 5 [0041.642] lstrcmpiW (lpString1=".epsp", lpString2="L.PNG") returned -1 [0041.642] lstrlenW (lpString=".erf") returned 4 [0041.642] lstrcmpiW (lpString1=".erf", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".exr") returned 4 [0041.642] lstrcmpiW (lpString1=".exr", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".f4v") returned 4 [0041.642] lstrcmpiW (lpString1=".f4v", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".fido") returned 5 [0041.642] lstrcmpiW (lpString1=".fido", lpString2="L.PNG") returned -1 [0041.642] lstrlenW (lpString=".flm") returned 4 [0041.642] lstrcmpiW (lpString1=".flm", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".flv") returned 4 [0041.642] lstrcmpiW (lpString1=".flv", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".frm") returned 4 [0041.642] lstrcmpiW (lpString1=".frm", lpString2=".PNG") returned -1 [0041.642] lstrlenW (lpString=".fxg") returned 4 [0041.642] lstrcmpiW (lpString1=".fxg", lpString2=".PNG") returned -1 [0041.643] lstrlenW (lpString=".geo") returned 4 [0041.643] lstrcmpiW (lpString1=".geo", lpString2=".PNG") returned -1 [0041.643] lstrlenW (lpString=".gif") returned 4 [0041.643] lstrcmpiW (lpString1=".gif", lpString2=".PNG") returned -1 [0041.643] lstrlenW (lpString=".grs") returned 4 [0041.643] lstrcmpiW (lpString1=".grs", lpString2=".PNG") returned -1 [0041.643] lstrlenW (lpString=".gz") returned 3 [0041.643] lstrcmpiW (lpString1=".gz", lpString2="PNG") returned -1 [0041.643] lstrlenW (lpString=".h") returned 2 [0041.643] lstrcmpiW (lpString1=".h", lpString2="NG") returned -1 [0041.643] lstrlenW (lpString=".hdr") returned 4 [0041.643] lstrcmpiW (lpString1=".hdr", lpString2=".PNG") returned -1 [0041.643] lstrlenW (lpString=".hpp") returned 4 [0041.939] lstrcmpiW (lpString1=".hpp", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".hta") returned 4 [0041.939] lstrcmpiW (lpString1=".hta", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".htc") returned 4 [0041.939] lstrcmpiW (lpString1=".htc", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".htm") returned 4 [0041.939] lstrcmpiW (lpString1=".htm", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".html") returned 5 [0041.939] lstrcmpiW (lpString1=".html", lpString2="L.PNG") returned -1 [0041.939] lstrlenW (lpString=".icb") returned 4 [0041.939] lstrcmpiW (lpString1=".icb", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".ics") returned 4 [0041.939] lstrcmpiW (lpString1=".ics", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".iff") returned 4 [0041.939] lstrcmpiW (lpString1=".iff", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".inc") returned 4 [0041.939] lstrcmpiW (lpString1=".inc", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".indd") returned 5 [0041.939] lstrcmpiW (lpString1=".indd", lpString2="L.PNG") returned -1 [0041.939] lstrlenW (lpString=".ini") returned 4 [0041.939] lstrcmpiW (lpString1=".ini", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".iqy") returned 4 [0041.939] lstrcmpiW (lpString1=".iqy", lpString2=".PNG") returned -1 [0041.939] lstrlenW (lpString=".j2c") returned 4 [0041.939] lstrcmpiW (lpString1=".j2c", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".j2k") returned 4 [0041.940] lstrcmpiW (lpString1=".j2k", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".java") returned 5 [0041.940] lstrcmpiW (lpString1=".java", lpString2="L.PNG") returned -1 [0041.940] lstrlenW (lpString=".jp2") returned 4 [0041.940] lstrcmpiW (lpString1=".jp2", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".jpc") returned 4 [0041.940] lstrcmpiW (lpString1=".jpc", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".jpe") returned 4 [0041.940] lstrcmpiW (lpString1=".jpe", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".jpeg") returned 5 [0041.940] lstrcmpiW (lpString1=".jpeg", lpString2="L.PNG") returned -1 [0041.940] lstrlenW (lpString=".jpf") returned 4 [0041.940] lstrcmpiW (lpString1=".jpf", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".jpg") returned 4 [0041.940] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".jpx") returned 4 [0041.940] lstrcmpiW (lpString1=".jpx", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".js") returned 3 [0041.940] lstrcmpiW (lpString1=".js", lpString2="PNG") returned -1 [0041.940] lstrlenW (lpString=".jsf") returned 4 [0041.940] lstrcmpiW (lpString1=".jsf", lpString2=".PNG") returned -1 [0041.940] lstrlenW (lpString=".json") returned 5 [0041.940] lstrcmpiW (lpString1=".json", lpString2="L.PNG") returned -1 [0041.940] lstrlenW (lpString=".jsp") returned 4 [0041.941] lstrcmpiW (lpString1=".jsp", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".kdc") returned 4 [0041.941] lstrcmpiW (lpString1=".kdc", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".kmz") returned 4 [0041.941] lstrcmpiW (lpString1=".kmz", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".kwm") returned 4 [0041.941] lstrcmpiW (lpString1=".kwm", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".lasso") returned 6 [0041.941] lstrcmpiW (lpString1=".lasso", lpString2="IL.PNG") returned -1 [0041.941] lstrlenW (lpString=".lbi") returned 4 [0041.941] lstrcmpiW (lpString1=".lbi", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".lgf") returned 4 [0041.941] lstrcmpiW (lpString1=".lgf", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".lgp") returned 4 [0041.941] lstrcmpiW (lpString1=".lgp", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".log") returned 4 [0041.941] lstrcmpiW (lpString1=".log", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".m1v") returned 4 [0041.941] lstrcmpiW (lpString1=".m1v", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".m4a") returned 4 [0041.941] lstrcmpiW (lpString1=".m4a", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".m4v") returned 4 [0041.941] lstrcmpiW (lpString1=".m4v", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".max") returned 4 [0041.941] lstrcmpiW (lpString1=".max", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".md") returned 3 [0041.941] lstrcmpiW (lpString1=".md", lpString2="PNG") returned -1 [0041.941] lstrlenW (lpString=".mda") returned 4 [0041.941] lstrcmpiW (lpString1=".mda", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".mdb") returned 4 [0041.941] lstrcmpiW (lpString1=".mdb", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".mde") returned 4 [0041.941] lstrcmpiW (lpString1=".mde", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".mdf") returned 4 [0041.941] lstrcmpiW (lpString1=".mdf", lpString2=".PNG") returned -1 [0041.941] lstrlenW (lpString=".mdw") returned 4 [0041.941] lstrcmpiW (lpString1=".mdw", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mef") returned 4 [0041.942] lstrcmpiW (lpString1=".mef", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mft") returned 4 [0041.942] lstrcmpiW (lpString1=".mft", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mfw") returned 4 [0041.942] lstrcmpiW (lpString1=".mfw", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mht") returned 4 [0041.942] lstrcmpiW (lpString1=".mht", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mhtml") returned 6 [0041.942] lstrcmpiW (lpString1=".mhtml", lpString2="IL.PNG") returned -1 [0041.942] lstrlenW (lpString=".mka") returned 4 [0041.942] lstrcmpiW (lpString1=".mka", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mkidx") returned 6 [0041.942] lstrcmpiW (lpString1=".mkidx", lpString2="IL.PNG") returned -1 [0041.942] lstrlenW (lpString=".mkv") returned 4 [0041.942] lstrcmpiW (lpString1=".mkv", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mos") returned 4 [0041.942] lstrcmpiW (lpString1=".mos", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mov") returned 4 [0041.942] lstrcmpiW (lpString1=".mov", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mp3") returned 4 [0041.942] lstrcmpiW (lpString1=".mp3", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mp4") returned 4 [0041.942] lstrcmpiW (lpString1=".mp4", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mpeg") returned 5 [0041.942] lstrcmpiW (lpString1=".mpeg", lpString2="L.PNG") returned -1 [0041.942] lstrlenW (lpString=".mpg") returned 4 [0041.942] lstrcmpiW (lpString1=".mpg", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mpv") returned 4 [0041.942] lstrcmpiW (lpString1=".mpv", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".mrw") returned 4 [0041.942] lstrcmpiW (lpString1=".mrw", lpString2=".PNG") returned -1 [0041.942] lstrlenW (lpString=".msg") returned 4 [0041.942] lstrcmpiW (lpString1=".msg", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".mxl") returned 4 [0041.943] lstrcmpiW (lpString1=".mxl", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".myd") returned 4 [0041.943] lstrcmpiW (lpString1=".myd", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".myi") returned 4 [0041.943] lstrcmpiW (lpString1=".myi", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".nef") returned 4 [0041.943] lstrcmpiW (lpString1=".nef", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".nrw") returned 4 [0041.943] lstrcmpiW (lpString1=".nrw", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".obj") returned 4 [0041.943] lstrcmpiW (lpString1=".obj", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".odb") returned 4 [0041.943] lstrcmpiW (lpString1=".odb", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".odc") returned 4 [0041.943] lstrcmpiW (lpString1=".odc", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".odm") returned 4 [0041.943] lstrcmpiW (lpString1=".odm", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".odp") returned 4 [0041.943] lstrcmpiW (lpString1=".odp", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".ods") returned 4 [0041.943] lstrcmpiW (lpString1=".ods", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".oft") returned 4 [0041.943] lstrcmpiW (lpString1=".oft", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".one") returned 4 [0041.943] lstrcmpiW (lpString1=".one", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".onepkg") returned 7 [0041.943] lstrcmpiW (lpString1=".onepkg", lpString2="AIL.PNG") returned -1 [0041.943] lstrlenW (lpString=".onetoc2") returned 8 [0041.943] lstrcmpiW (lpString1=".onetoc2", lpString2="NAIL.PNG") returned -1 [0041.943] lstrlenW (lpString=".opt") returned 4 [0041.943] lstrcmpiW (lpString1=".opt", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".oqy") returned 4 [0041.943] lstrcmpiW (lpString1=".oqy", lpString2=".PNG") returned -1 [0041.943] lstrlenW (lpString=".orf") returned 4 [0041.944] lstrcmpiW (lpString1=".orf", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".p12") returned 4 [0041.944] lstrcmpiW (lpString1=".p12", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".p7b") returned 4 [0041.944] lstrcmpiW (lpString1=".p7b", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".p7c") returned 4 [0041.944] lstrcmpiW (lpString1=".p7c", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pam") returned 4 [0041.944] lstrcmpiW (lpString1=".pam", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pbm") returned 4 [0041.944] lstrcmpiW (lpString1=".pbm", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pct") returned 4 [0041.944] lstrcmpiW (lpString1=".pct", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pcx") returned 4 [0041.944] lstrcmpiW (lpString1=".pcx", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pdd") returned 4 [0041.944] lstrcmpiW (lpString1=".pdd", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pdf") returned 4 [0041.944] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pdp") returned 4 [0041.944] lstrcmpiW (lpString1=".pdp", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pef") returned 4 [0041.944] lstrcmpiW (lpString1=".pef", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pem") returned 4 [0041.944] lstrcmpiW (lpString1=".pem", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pff") returned 4 [0041.944] lstrcmpiW (lpString1=".pff", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pfm") returned 4 [0041.944] lstrcmpiW (lpString1=".pfm", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pfx") returned 4 [0041.944] lstrcmpiW (lpString1=".pfx", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".pgm") returned 4 [0041.944] lstrcmpiW (lpString1=".pgm", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".php") returned 4 [0041.944] lstrcmpiW (lpString1=".php", lpString2=".PNG") returned -1 [0041.944] lstrlenW (lpString=".php3") returned 5 [0041.945] lstrcmpiW (lpString1=".php3", lpString2="L.PNG") returned -1 [0041.945] lstrlenW (lpString=".php4") returned 5 [0041.945] lstrcmpiW (lpString1=".php4", lpString2="L.PNG") returned -1 [0041.945] lstrlenW (lpString=".php5") returned 5 [0041.945] lstrcmpiW (lpString1=".php5", lpString2="L.PNG") returned -1 [0041.945] lstrlenW (lpString=".phtml") returned 6 [0041.945] lstrcmpiW (lpString1=".phtml", lpString2="IL.PNG") returned -1 [0041.945] lstrlenW (lpString=".pict") returned 5 [0041.945] lstrcmpiW (lpString1=".pict", lpString2="L.PNG") returned -1 [0041.945] lstrlenW (lpString=".pl") returned 3 [0041.945] lstrcmpiW (lpString1=".pl", lpString2="PNG") returned -1 [0041.945] lstrlenW (lpString=".pls") returned 4 [0041.945] lstrcmpiW (lpString1=".pls", lpString2=".PNG") returned -1 [0041.945] lstrlenW (lpString=".pm") returned 3 [0041.945] lstrcmpiW (lpString1=".pm", lpString2="PNG") returned -1 [0041.945] lstrlenW (lpString=".png") returned 4 [0041.945] lstrcmpiW (lpString1=".png", lpString2=".PNG") returned 0 [0041.945] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0041.945] lstrlenW (lpString=".NcOv") returned 5 [0041.945] lstrcmpiW (lpString1=".NcOv", lpString2="L.PNG") returned -1 [0041.945] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0041.945] lstrcmpiW (lpString1="boot.ini", lpString2="THMBNAIL.PNG") returned -1 [0041.945] lstrcmpiW (lpString1="bootfont.bin", lpString2="THMBNAIL.PNG") returned -1 [0041.945] lstrcmpiW (lpString1="ntldr", lpString2="THMBNAIL.PNG") returned -1 [0041.945] lstrcmpiW (lpString1="ntdetect.com", lpString2="THMBNAIL.PNG") returned -1 [0041.945] lstrcmpiW (lpString1="io.sys", lpString2="THMBNAIL.PNG") returned -1 [0041.945] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="THMBNAIL.PNG") returned -1 [0041.945] lstrcmpiW (lpString1="Info.hta", lpString2="THMBNAIL.PNG") returned -1 [0041.945] lstrcmpiW (lpString1="winhost.exe", lpString2="THMBNAIL.PNG") returned 1 [0041.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0041.945] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x2d35, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0041.946] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.946] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.946] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0041.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS") returned 63 [0041.946] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS") returned 1 [0041.946] lstrlenW (lpString="PAPYRUS") returned 7 [0041.946] lstrcmpiW (lpString1="C:\\Windows", lpString2="PAPYRUS") returned -1 [0041.946] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3f2d0a0 [0041.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS") returned 63 [0041.946] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.946] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.946] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x140f5c00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x140f5c00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x166d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS.ELM", cAlternateFileName="")) returned 1 [0041.946] lstrlenW (lpString="PAPYRUS.ELM") returned 11 [0041.946] lstrlenW (lpString=".1cd") returned 4 [0041.946] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0041.946] lstrlenW (lpString=".3ds") returned 4 [0041.946] lstrcmpiW (lpString1=".3ds", lpString2=".ELM") returned -1 [0041.946] lstrlenW (lpString=".3fr") returned 4 [0041.946] lstrcmpiW (lpString1=".3fr", lpString2=".ELM") returned -1 [0041.946] lstrlenW (lpString=".3g2") returned 4 [0041.946] lstrcmpiW (lpString1=".3g2", lpString2=".ELM") returned -1 [0041.946] lstrlenW (lpString=".3gp") returned 4 [0041.946] lstrcmpiW (lpString1=".3gp", lpString2=".ELM") returned -1 [0041.947] lstrlenW (lpString=".7z") returned 3 [0041.947] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0041.947] lstrlenW (lpString=".accda") returned 6 [0041.947] lstrcmpiW (lpString1=".accda", lpString2="US.ELM") returned -1 [0041.947] lstrlenW (lpString=".accdb") returned 6 [0041.947] lstrcmpiW (lpString1=".accdb", lpString2="US.ELM") returned -1 [0041.947] lstrlenW (lpString=".accdc") returned 6 [0041.947] lstrcmpiW (lpString1=".accdc", lpString2="US.ELM") returned -1 [0041.947] lstrlenW (lpString=".accde") returned 6 [0041.947] lstrcmpiW (lpString1=".accde", lpString2="US.ELM") returned -1 [0041.947] lstrlenW (lpString=".accdt") returned 6 [0041.947] lstrcmpiW (lpString1=".accdt", lpString2="US.ELM") returned -1 [0041.947] lstrlenW (lpString=".accdw") returned 6 [0041.947] lstrcmpiW (lpString1=".accdw", lpString2="US.ELM") returned -1 [0041.947] lstrlenW (lpString=".adb") returned 4 [0041.947] lstrcmpiW (lpString1=".adb", lpString2=".ELM") returned -1 [0041.947] lstrlenW (lpString=".adp") returned 4 [0041.947] lstrcmpiW (lpString1=".adp", lpString2=".ELM") returned -1 [0041.947] lstrlenW (lpString=".ai") returned 3 [0041.947] lstrcmpiW (lpString1=".ai", lpString2="ELM") returned -1 [0041.947] lstrlenW (lpString=".ai3") returned 4 [0041.947] lstrcmpiW (lpString1=".ai3", lpString2=".ELM") returned -1 [0041.947] lstrlenW (lpString=".ai4") returned 4 [0041.947] lstrcmpiW (lpString1=".ai4", lpString2=".ELM") returned -1 [0041.947] lstrlenW (lpString=".ai5") returned 4 [0041.947] lstrcmpiW (lpString1=".ai5", lpString2=".ELM") returned -1 [0041.947] lstrlenW (lpString=".ai6") returned 4 [0041.947] lstrcmpiW (lpString1=".ai6", lpString2=".ELM") returned -1 [0041.948] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.948] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.948] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0041.948] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.948] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.949] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a2e300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6cf07e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17a2e300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xd0e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIXEL.ELM", cAlternateFileName="")) returned 1 [0041.949] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.949] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.949] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0041.949] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.949] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.949] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x53b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.949] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.949] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.949] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QUAD", cAlternateFileName="")) returned 1 [0041.950] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.950] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.950] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x59f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.950] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.950] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.950] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0041.950] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.950] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.950] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x682, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.951] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.951] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.951] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="REFINED", cAlternateFileName="")) returned 1 [0041.951] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.951] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.951] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x58f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.951] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.951] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.951] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0041.951] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.951] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.952] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xf82, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.952] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.952] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.952] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RIPPLE", cAlternateFileName="")) returned 1 [0041.952] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.952] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.952] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.952] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.953] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef310 | out: lpFindFileData=0x2eef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RMNSQUE", cAlternateFileName="")) returned 1 [0041.953] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*", lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0043.013] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.013] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0063.788] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Services\\*", lpFindFileData=0x2eeeb9c | out: lpFindFileData=0x2eeeb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81f971c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81fe3480, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81fe3480, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x38144b0 [0063.788] FindNextFileW (in: hFindFile=0x38144b0, lpFindFileData=0x2eeeb9c | out: lpFindFileData=0x2eeeb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81f971c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81fe3480, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81fe3480, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.788] FindNextFileW (in: hFindFile=0x38144b0, lpFindFileData=0x2eeeb9c | out: lpFindFileData=0x2eeeb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81fe3480, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x8ca7, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEXShare.asfx", cAlternateFileName="DEXSHA~1.ASF")) returned 1 [0063.789] FindClose (in: hFindFile=0x38144b0 | out: hFindFile=0x38144b0) returned 1 [0063.789] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60e0 | out: hHeap=0x500000) returned 1 [0063.789] FindNextFileW (in: hFindFile=0x3814430, lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7ddfb360, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Spelling.DAN", cAlternateFileName="")) returned 1 [0063.789] FindClose (in: hFindFile=0x3814430 | out: hFindFile=0x3814430) returned 1 [0063.789] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3ef1070 | out: hHeap=0x500000) returned 1 [0063.789] FindNextFileW (in: hFindFile=0x3814230, lpFindFileData=0x2eef094 | out: lpFindFileData=0x2eef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d723420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x82f5c380, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x82f5c380, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de_DE", cAlternateFileName="")) returned 1 [0063.790] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\*", lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d723420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x82f5c380, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x82f5c380, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814430 [0064.196] FindNextFileW (in: hFindFile=0x3814430, lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d723420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x82f5c380, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x82f5c380, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.196] FindNextFileW (in: hFindFile=0x3814430, lpFindFileData=0x2eeee18 | out: lpFindFileData=0x2eeee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d984a20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x0, cFileName="accessibility.DEU", cAlternateFileName="ACCESS~1.DEU")) returned 1 Thread: id = 15 os_tid = 0xb08 [0037.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x3771078 [0037.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x3781080 [0037.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a880 [0037.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x55ad18 [0037.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a898 [0037.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x3a70020 [0037.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a838 [0037.776] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a838, Size=0x20) returned 0x5a3600 [0037.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a838 [0037.777] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a838, Size=0x20) returned 0x5a35b0 [0037.777] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0037.777] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0037.777] Wow64DisableWow64FsRedirection (in: OldValue=0x302ff58 | out: OldValue=0x302ff58*=0x0) returned 1 [0037.777] lstrlenW (lpString="kernel32.dll") returned 12 [0037.777] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a3600 | out: hHeap=0x500000) returned 1 [0037.777] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0037.777] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a35b0 | out: hHeap=0x500000) returned 1 [0037.777] Sleep (dwMilliseconds=0x64) [0037.884] lstrlenW (lpString="BCD") returned 3 [0037.884] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.884] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.884] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.884] lstrlenW (lpString=".doc") returned 4 [0037.884] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0037.884] lstrlenW (lpString=".docx") returned 5 [0037.884] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0037.884] lstrlenW (lpString=".pdf") returned 4 [0037.884] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0037.884] lstrlenW (lpString=".xls") returned 4 [0037.884] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString=".xlsx") returned 5 [0037.885] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0037.885] lstrlenW (lpString=".ppt") returned 4 [0037.885] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.885] lstrlenW (lpString=".zip") returned 4 [0037.885] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString=".rar") returned 4 [0037.885] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString=".bz2") returned 4 [0037.885] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString=".7z") returned 3 [0037.885] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0037.885] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.885] lstrlenW (lpString=".dbf") returned 4 [0037.885] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.885] lstrlenW (lpString=".1cd") returned 4 [0037.885] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.885] lstrlenW (lpString=".jpg") returned 4 [0037.885] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.885] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.885] lstrlenW (lpString=".doc") returned 4 [0037.885] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0037.885] lstrlenW (lpString=".docx") returned 5 [0037.885] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0037.886] lstrlenW (lpString=".pdf") returned 4 [0037.886] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0037.886] lstrlenW (lpString=".xls") returned 4 [0037.886] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0037.886] lstrlenW (lpString=".xlsx") returned 5 [0037.886] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0037.886] lstrlenW (lpString=".ppt") returned 4 [0037.886] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0037.886] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.886] lstrlenW (lpString=".zip") returned 4 [0037.886] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0037.886] lstrlenW (lpString=".rar") returned 4 [0037.886] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0037.886] lstrlenW (lpString=".bz2") returned 4 [0037.886] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0037.886] lstrlenW (lpString=".7z") returned 3 [0037.886] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0037.886] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.886] lstrlenW (lpString=".dbf") returned 4 [0037.886] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0037.886] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.886] lstrlenW (lpString=".1cd") returned 4 [0037.886] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0037.886] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0037.886] lstrlenW (lpString=".jpg") returned 4 [0037.886] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0037.887] lstrcmpiW (lpString1=".LOG1", lpString2=".NcOv") returned -1 [0037.887] lstrlenW (lpString="BCD.LOG1") returned 8 [0037.887] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0037.887] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=0) returned 1 [0037.887] CloseHandle (hObject=0x1a0) returned 1 [0037.887] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.887] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.887] lstrlenW (lpString=".doc") returned 4 [0037.887] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0037.887] lstrlenW (lpString=".docx") returned 5 [0037.887] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0037.887] lstrlenW (lpString=".pdf") returned 4 [0037.887] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0037.887] lstrlenW (lpString=".xls") returned 4 [0037.887] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0037.887] lstrlenW (lpString=".xlsx") returned 5 [0037.888] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0037.888] lstrlenW (lpString=".ppt") returned 4 [0037.888] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0037.888] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.888] lstrlenW (lpString=".zip") returned 4 [0037.888] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0037.888] lstrlenW (lpString=".rar") returned 4 [0037.888] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0037.888] lstrlenW (lpString=".bz2") returned 4 [0037.888] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0037.888] lstrlenW (lpString=".7z") returned 3 [0037.888] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0037.888] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.888] lstrlenW (lpString=".dbf") returned 4 [0037.888] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0037.888] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.888] lstrlenW (lpString=".1cd") returned 4 [0037.888] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0037.888] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.888] lstrlenW (lpString=".jpg") returned 4 [0037.888] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0037.888] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.888] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.888] lstrlenW (lpString=".doc") returned 4 [0037.888] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0037.888] lstrlenW (lpString=".docx") returned 5 [0037.888] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0037.888] lstrlenW (lpString=".pdf") returned 4 [0037.889] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0037.889] lstrlenW (lpString=".xls") returned 4 [0037.889] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0037.889] lstrlenW (lpString=".xlsx") returned 5 [0037.889] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0037.889] lstrlenW (lpString=".ppt") returned 4 [0037.889] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0037.889] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.889] lstrlenW (lpString=".zip") returned 4 [0037.889] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0037.889] lstrlenW (lpString=".rar") returned 4 [0037.889] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0037.889] lstrlenW (lpString=".bz2") returned 4 [0037.889] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0037.889] lstrlenW (lpString=".7z") returned 3 [0037.889] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0037.889] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.889] lstrlenW (lpString=".dbf") returned 4 [0037.889] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0037.889] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.889] lstrlenW (lpString=".1cd") returned 4 [0037.889] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0037.889] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0037.889] lstrlenW (lpString=".jpg") returned 4 [0037.889] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0037.920] lstrcmpiW (lpString1=".LOG2", lpString2=".NcOv") returned -1 [0037.920] lstrlenW (lpString="BCD.LOG2") returned 8 [0037.920] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0037.920] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=0) returned 1 [0037.920] CloseHandle (hObject=0x1a0) returned 1 [0037.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.922] lstrlenW (lpString=".doc") returned 4 [0037.922] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0037.922] lstrlenW (lpString=".docx") returned 5 [0037.922] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0037.922] lstrlenW (lpString=".pdf") returned 4 [0037.922] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString=".xls") returned 4 [0037.923] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString=".xlsx") returned 5 [0037.923] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0037.923] lstrlenW (lpString=".ppt") returned 4 [0037.923] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.923] lstrlenW (lpString=".zip") returned 4 [0037.923] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString=".rar") returned 4 [0037.923] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString=".bz2") returned 4 [0037.923] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString=".7z") returned 3 [0037.923] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0037.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.923] lstrlenW (lpString=".dbf") returned 4 [0037.923] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.923] lstrlenW (lpString=".1cd") returned 4 [0037.923] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.923] lstrlenW (lpString=".jpg") returned 4 [0037.923] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0037.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.924] lstrlenW (lpString=".doc") returned 4 [0037.924] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString=".docx") returned 5 [0037.924] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0037.924] lstrlenW (lpString=".pdf") returned 4 [0037.924] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString=".xls") returned 4 [0037.924] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString=".xlsx") returned 5 [0037.924] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0037.924] lstrlenW (lpString=".ppt") returned 4 [0037.924] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.924] lstrlenW (lpString=".zip") returned 4 [0037.924] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString=".rar") returned 4 [0037.924] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString=".bz2") returned 4 [0037.924] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString=".7z") returned 3 [0037.924] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0037.924] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.924] lstrlenW (lpString=".dbf") returned 4 [0037.924] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.924] lstrlenW (lpString=".1cd") returned 4 [0037.924] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0037.924] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0037.925] lstrlenW (lpString=".jpg") returned 4 [0037.925] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0037.925] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0037.925] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0037.925] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0037.925] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=89168) returned 1 [0037.925] CloseHandle (hObject=0x1a0) returned 1 [0037.925] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0037.925] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.925] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.926] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.926] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.926] lstrlenW (lpString=".doc") returned 4 [0037.926] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.926] lstrlenW (lpString=".docx") returned 5 [0037.926] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.926] lstrlenW (lpString=".pdf") returned 4 [0037.926] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.926] lstrlenW (lpString=".xls") returned 4 [0037.926] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.926] lstrlenW (lpString=".xlsx") returned 5 [0037.926] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.926] lstrlenW (lpString=".ppt") returned 4 [0037.926] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.926] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.926] lstrlenW (lpString=".zip") returned 4 [0037.926] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.926] lstrlenW (lpString=".rar") returned 4 [0037.926] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.926] lstrlenW (lpString=".bz2") returned 4 [0037.926] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.926] lstrlenW (lpString=".7z") returned 3 [0037.926] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.926] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.926] lstrlenW (lpString=".dbf") returned 4 [0037.926] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.926] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.927] lstrlenW (lpString=".1cd") returned 4 [0037.927] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.927] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.927] lstrlenW (lpString=".jpg") returned 4 [0037.927] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.927] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.927] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.927] lstrlenW (lpString=".doc") returned 4 [0037.927] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.955] lstrlenW (lpString=".docx") returned 5 [0037.955] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.955] lstrlenW (lpString=".pdf") returned 4 [0037.955] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.955] lstrlenW (lpString=".xls") returned 4 [0037.955] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.955] lstrlenW (lpString=".xlsx") returned 5 [0037.955] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.955] lstrlenW (lpString=".ppt") returned 4 [0037.955] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.955] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.955] lstrlenW (lpString=".zip") returned 4 [0037.955] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.955] lstrlenW (lpString=".rar") returned 4 [0037.955] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.955] lstrlenW (lpString=".bz2") returned 4 [0037.955] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.955] lstrlenW (lpString=".7z") returned 3 [0037.955] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.955] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.955] lstrlenW (lpString=".dbf") returned 4 [0037.955] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.955] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.955] lstrlenW (lpString=".1cd") returned 4 [0037.955] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.955] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0037.955] lstrlenW (lpString=".jpg") returned 4 [0037.956] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.956] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0037.956] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0037.956] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.978] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=87616) returned 1 [0037.978] CloseHandle (hObject=0x18c) returned 1 [0037.978] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0037.978] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.978] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.978] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.978] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.978] lstrlenW (lpString=".doc") returned 4 [0037.978] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.978] lstrlenW (lpString=".docx") returned 5 [0037.978] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.978] lstrlenW (lpString=".pdf") returned 4 [0037.978] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.978] lstrlenW (lpString=".xls") returned 4 [0037.978] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.978] lstrlenW (lpString=".xlsx") returned 5 [0037.978] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.978] lstrlenW (lpString=".ppt") returned 4 [0037.978] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.978] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.978] lstrlenW (lpString=".zip") returned 4 [0037.978] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.978] lstrlenW (lpString=".rar") returned 4 [0037.978] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.978] lstrlenW (lpString=".bz2") returned 4 [0037.978] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.978] lstrlenW (lpString=".7z") returned 3 [0037.979] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.979] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.979] lstrlenW (lpString=".dbf") returned 4 [0037.979] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.979] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.979] lstrlenW (lpString=".1cd") returned 4 [0037.979] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.979] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.979] lstrlenW (lpString=".jpg") returned 4 [0037.979] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.979] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.979] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.979] lstrlenW (lpString=".doc") returned 4 [0037.979] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.979] lstrlenW (lpString=".docx") returned 5 [0037.979] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.979] lstrlenW (lpString=".pdf") returned 4 [0037.979] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.979] lstrlenW (lpString=".xls") returned 4 [0037.979] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.979] lstrlenW (lpString=".xlsx") returned 5 [0037.979] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.979] lstrlenW (lpString=".ppt") returned 4 [0037.979] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.979] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.979] lstrlenW (lpString=".zip") returned 4 [0037.979] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.979] lstrlenW (lpString=".rar") returned 4 [0037.979] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.979] lstrlenW (lpString=".bz2") returned 4 [0037.979] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.979] lstrlenW (lpString=".7z") returned 3 [0037.979] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.979] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.979] lstrlenW (lpString=".dbf") returned 4 [0037.979] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.979] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.980] lstrlenW (lpString=".1cd") returned 4 [0037.980] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.980] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0037.980] lstrlenW (lpString=".jpg") returned 4 [0037.980] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.980] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0037.980] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0037.980] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.980] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=91712) returned 1 [0037.980] CloseHandle (hObject=0x18c) returned 1 [0037.980] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0037.980] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.980] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.980] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.980] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.980] lstrlenW (lpString=".doc") returned 4 [0037.980] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.980] lstrlenW (lpString=".docx") returned 5 [0037.980] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.980] lstrlenW (lpString=".pdf") returned 4 [0037.981] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.981] lstrlenW (lpString=".xls") returned 4 [0037.981] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.981] lstrlenW (lpString=".xlsx") returned 5 [0037.981] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.981] lstrlenW (lpString=".ppt") returned 4 [0037.981] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.981] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.981] lstrlenW (lpString=".zip") returned 4 [0037.981] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.981] lstrlenW (lpString=".rar") returned 4 [0037.981] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.981] lstrlenW (lpString=".bz2") returned 4 [0037.981] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.981] lstrlenW (lpString=".7z") returned 3 [0037.981] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.981] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.981] lstrlenW (lpString=".dbf") returned 4 [0037.981] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.981] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.981] lstrlenW (lpString=".1cd") returned 4 [0037.981] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.981] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.981] lstrlenW (lpString=".jpg") returned 4 [0037.981] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.981] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.981] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.981] lstrlenW (lpString=".doc") returned 4 [0037.981] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.981] lstrlenW (lpString=".docx") returned 5 [0037.981] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.981] lstrlenW (lpString=".pdf") returned 4 [0037.981] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.981] lstrlenW (lpString=".xls") returned 4 [0037.981] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.981] lstrlenW (lpString=".xlsx") returned 5 [0037.981] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.981] lstrlenW (lpString=".ppt") returned 4 [0037.982] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.982] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.982] lstrlenW (lpString=".zip") returned 4 [0037.982] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.982] lstrlenW (lpString=".rar") returned 4 [0037.982] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.982] lstrlenW (lpString=".bz2") returned 4 [0037.982] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.982] lstrlenW (lpString=".7z") returned 3 [0037.982] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.982] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.982] lstrlenW (lpString=".dbf") returned 4 [0037.982] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.982] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.982] lstrlenW (lpString=".1cd") returned 4 [0037.982] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.982] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0037.982] lstrlenW (lpString=".jpg") returned 4 [0037.982] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.982] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0037.982] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0037.982] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.982] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=94800) returned 1 [0037.982] CloseHandle (hObject=0x18c) returned 1 [0037.982] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0037.983] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.983] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.983] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0037.983] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0037.983] lstrlenW (lpString=".doc") returned 4 [0037.983] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.983] lstrlenW (lpString=".docx") returned 5 [0037.983] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.983] lstrlenW (lpString=".pdf") returned 4 [0037.983] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.983] lstrlenW (lpString=".xls") returned 4 [0037.983] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.983] lstrlenW (lpString=".xlsx") returned 5 [0037.983] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.983] lstrlenW (lpString=".ppt") returned 4 [0037.983] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.983] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0037.983] lstrlenW (lpString=".zip") returned 4 [0037.983] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.983] lstrlenW (lpString=".rar") returned 4 [0037.983] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.983] lstrlenW (lpString=".bz2") returned 4 [0037.983] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.983] lstrlenW (lpString=".7z") returned 3 [0037.983] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.984] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0038.022] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0038.022] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0038.023] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0038.023] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0038.023] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.023] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.113] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.113] ReadFile (in: hFile=0x1ac, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.172] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.172] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.172] ReadFile (in: hFile=0x1ac, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.224] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.224] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc010e, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc010e, lpOverlapped=0x0) returned 1 [0038.343] SetEndOfFile (hFile=0x1ac) returned 1 [0038.343] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f05098 [0038.762] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.762] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.764] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.764] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.770] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.770] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.777] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f05098 | out: hHeap=0x500000) returned 1 [0038.782] CloseHandle (hObject=0x1ac) returned 1 [0039.687] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0039.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.688] lstrlenW (lpString=".doc") returned 4 [0039.688] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.688] lstrlenW (lpString=".docx") returned 5 [0039.688] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.688] lstrlenW (lpString=".pdf") returned 4 [0039.688] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.688] lstrlenW (lpString=".xls") returned 4 [0039.688] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.688] lstrlenW (lpString=".xlsx") returned 5 [0039.688] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.688] lstrlenW (lpString=".ppt") returned 4 [0039.688] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.688] lstrlenW (lpString=".zip") returned 4 [0039.688] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.688] lstrlenW (lpString=".rar") returned 4 [0039.688] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.688] lstrlenW (lpString=".bz2") returned 4 [0039.688] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.688] lstrlenW (lpString=".7z") returned 3 [0039.688] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.688] lstrlenW (lpString=".dbf") returned 4 [0039.688] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.688] lstrlenW (lpString=".1cd") returned 4 [0039.688] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.689] lstrlenW (lpString=".jpg") returned 4 [0039.689] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.689] lstrlenW (lpString=".doc") returned 4 [0039.689] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.689] lstrlenW (lpString=".docx") returned 5 [0039.689] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.689] lstrlenW (lpString=".pdf") returned 4 [0039.689] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.689] lstrlenW (lpString=".xls") returned 4 [0039.689] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.689] lstrlenW (lpString=".xlsx") returned 5 [0039.689] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.689] lstrlenW (lpString=".ppt") returned 4 [0039.689] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.689] lstrlenW (lpString=".zip") returned 4 [0039.689] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.689] lstrlenW (lpString=".rar") returned 4 [0039.689] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.689] lstrlenW (lpString=".bz2") returned 4 [0039.689] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.689] lstrlenW (lpString=".7z") returned 3 [0039.689] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.689] lstrlenW (lpString=".dbf") returned 4 [0039.689] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.689] lstrlenW (lpString=".1cd") returned 4 [0039.689] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0039.689] lstrlenW (lpString=".jpg") returned 4 [0039.689] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.690] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0039.690] lstrlenW (lpString="PubLR.cab") returned 9 [0039.690] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.690] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=9958388) returned 1 [0039.690] CloseHandle (hObject=0x1ac) returned 1 [0039.690] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0039.690] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0039.690] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0039.691] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.691] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.691] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.691] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.773] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.773] ReadFile (in: hFile=0x1ac, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.784] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.784] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.784] ReadFile (in: hFile=0x1ac, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.814] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.814] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0040.923] SetEndOfFile (hFile=0x1ac) returned 1 [0040.924] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f560d0 [0041.225] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.225] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.232] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.235] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.244] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.244] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.249] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f560d0 | out: hHeap=0x500000) returned 1 [0041.249] CloseHandle (hObject=0x1ac) returned 1 [0044.486] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0044.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.487] lstrlenW (lpString=".doc") returned 4 [0044.487] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.487] lstrlenW (lpString=".docx") returned 5 [0044.487] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.487] lstrlenW (lpString=".pdf") returned 4 [0044.487] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.487] lstrlenW (lpString=".xls") returned 4 [0044.487] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.487] lstrlenW (lpString=".xlsx") returned 5 [0044.487] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.487] lstrlenW (lpString=".ppt") returned 4 [0044.487] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.487] lstrlenW (lpString=".zip") returned 4 [0044.487] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.487] lstrlenW (lpString=".rar") returned 4 [0044.487] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.487] lstrlenW (lpString=".bz2") returned 4 [0044.487] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.487] lstrlenW (lpString=".7z") returned 3 [0044.487] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.487] lstrlenW (lpString=".dbf") returned 4 [0044.487] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.487] lstrlenW (lpString=".1cd") returned 4 [0044.487] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.488] lstrlenW (lpString=".jpg") returned 4 [0044.488] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.488] lstrlenW (lpString=".doc") returned 4 [0044.488] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.488] lstrlenW (lpString=".docx") returned 5 [0044.488] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.488] lstrlenW (lpString=".pdf") returned 4 [0044.488] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.488] lstrlenW (lpString=".xls") returned 4 [0044.488] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.488] lstrlenW (lpString=".xlsx") returned 5 [0044.488] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.488] lstrlenW (lpString=".ppt") returned 4 [0044.488] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.488] lstrlenW (lpString=".zip") returned 4 [0044.488] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.488] lstrlenW (lpString=".rar") returned 4 [0044.488] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.488] lstrlenW (lpString=".bz2") returned 4 [0044.488] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.488] lstrlenW (lpString=".7z") returned 3 [0044.488] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.488] lstrlenW (lpString=".dbf") returned 4 [0044.488] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.488] lstrlenW (lpString=".1cd") returned 4 [0044.488] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0044.488] lstrlenW (lpString=".jpg") returned 4 [0044.488] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.489] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0044.489] lstrlenW (lpString="Proof.cab") returned 9 [0044.489] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0044.568] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=13642474) returned 1 [0044.568] CloseHandle (hObject=0x1ec) returned 1 [0044.568] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0x2020 [0044.568] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.568] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0044.571] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0044.572] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.572] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.572] ReadFile (in: hFile=0x1ec, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.585] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.586] ReadFile (in: hFile=0x1ec, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.592] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.592] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.592] ReadFile (in: hFile=0x1ec, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.853] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.853] WriteFile (in: hFile=0x1ec, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0044.868] SetEndOfFile (hFile=0x1ec) returned 1 [0044.868] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f560d0 [0044.874] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.874] WriteFile (in: hFile=0x1ec, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.875] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.875] WriteFile (in: hFile=0x1ec, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.875] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.876] WriteFile (in: hFile=0x1ec, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.877] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f560d0 | out: hHeap=0x500000) returned 1 [0044.877] CloseHandle (hObject=0x1ec) returned 1 [0047.697] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0047.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.698] lstrlenW (lpString=".doc") returned 4 [0047.698] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.698] lstrlenW (lpString=".docx") returned 5 [0047.698] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0047.698] lstrlenW (lpString=".pdf") returned 4 [0047.698] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.698] lstrlenW (lpString=".xls") returned 4 [0047.698] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.698] lstrlenW (lpString=".xlsx") returned 5 [0047.698] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0047.698] lstrlenW (lpString=".ppt") returned 4 [0047.698] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.698] lstrlenW (lpString=".zip") returned 4 [0047.698] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.698] lstrlenW (lpString=".rar") returned 4 [0047.698] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.698] lstrlenW (lpString=".bz2") returned 4 [0047.698] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.698] lstrlenW (lpString=".7z") returned 3 [0047.698] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.698] lstrlenW (lpString=".dbf") returned 4 [0047.699] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.699] lstrlenW (lpString=".1cd") returned 4 [0047.699] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.699] lstrlenW (lpString=".jpg") returned 4 [0047.699] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.699] lstrlenW (lpString=".doc") returned 4 [0047.699] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString=".docx") returned 5 [0047.699] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0047.699] lstrlenW (lpString=".pdf") returned 4 [0047.699] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString=".xls") returned 4 [0047.699] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString=".xlsx") returned 5 [0047.699] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0047.699] lstrlenW (lpString=".ppt") returned 4 [0047.699] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.699] lstrlenW (lpString=".zip") returned 4 [0047.699] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString=".rar") returned 4 [0047.699] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString=".bz2") returned 4 [0047.699] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.699] lstrlenW (lpString=".7z") returned 3 [0047.699] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.699] lstrlenW (lpString=".dbf") returned 4 [0047.699] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.699] lstrlenW (lpString=".1cd") returned 4 [0047.699] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0047.700] lstrlenW (lpString=".jpg") returned 4 [0047.700] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.700] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0047.700] lstrlenW (lpString="InfLR.cab") returned 9 [0047.700] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.700] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=18874884) returned 1 [0047.700] CloseHandle (hObject=0x20c) returned 1 [0047.700] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0047.700] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.700] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0047.838] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.838] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.838] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.838] ReadFile (in: hFile=0x20c, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.861] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.861] ReadFile (in: hFile=0x20c, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.875] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.875] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.875] ReadFile (in: hFile=0x20c, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.897] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.897] WriteFile (in: hFile=0x20c, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0047.910] SetEndOfFile (hFile=0x20c) returned 1 [0047.910] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f660d0 [0047.914] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.914] WriteFile (in: hFile=0x20c, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.792] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.792] WriteFile (in: hFile=0x20c, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.797] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.797] WriteFile (in: hFile=0x20c, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.801] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f660d0 | out: hHeap=0x500000) returned 1 [0048.804] CloseHandle (hObject=0x20c) returned 1 [0048.804] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0048.804] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.804] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.805] lstrlenW (lpString=".doc") returned 4 [0048.805] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString=".docx") returned 5 [0048.805] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0048.805] lstrlenW (lpString=".pdf") returned 4 [0048.805] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString=".xls") returned 4 [0048.805] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString=".xlsx") returned 5 [0048.805] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0048.805] lstrlenW (lpString=".ppt") returned 4 [0048.805] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.805] lstrlenW (lpString=".zip") returned 4 [0048.805] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString=".rar") returned 4 [0048.805] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString=".bz2") returned 4 [0048.805] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.805] lstrlenW (lpString=".7z") returned 3 [0048.805] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.805] lstrlenW (lpString=".dbf") returned 4 [0048.805] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.805] lstrlenW (lpString=".1cd") returned 4 [0048.805] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.805] lstrlenW (lpString=".jpg") returned 4 [0048.805] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.805] lstrlenW (lpString=".doc") returned 4 [0048.805] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.805] lstrlenW (lpString=".docx") returned 5 [0048.805] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0048.806] lstrlenW (lpString=".pdf") returned 4 [0048.806] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.806] lstrlenW (lpString=".xls") returned 4 [0048.806] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.806] lstrlenW (lpString=".xlsx") returned 5 [0048.806] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0048.806] lstrlenW (lpString=".ppt") returned 4 [0048.806] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.806] lstrlenW (lpString=".zip") returned 4 [0048.806] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.806] lstrlenW (lpString=".rar") returned 4 [0048.806] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.806] lstrlenW (lpString=".bz2") returned 4 [0048.806] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.806] lstrlenW (lpString=".7z") returned 3 [0048.806] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.806] lstrlenW (lpString=".dbf") returned 4 [0048.806] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.806] lstrlenW (lpString=".1cd") returned 4 [0048.806] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0048.806] lstrlenW (lpString=".jpg") returned 4 [0048.806] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.806] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0048.806] lstrlenW (lpString="OnoteLR.cab") returned 11 [0048.806] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.906] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=17456632) returned 1 [0048.906] CloseHandle (hObject=0x194) returned 1 [0048.907] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0048.907] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0048.907] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0048.908] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.908] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.908] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.908] ReadFile (in: hFile=0x194, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.008] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.008] ReadFile (in: hFile=0x194, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.020] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.020] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.020] ReadFile (in: hFile=0x194, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.066] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.066] WriteFile (in: hFile=0x194, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0049.352] SetEndOfFile (hFile=0x194) returned 1 [0049.352] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fa60d8 [0049.437] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.437] WriteFile (in: hFile=0x194, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.438] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.438] WriteFile (in: hFile=0x194, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.439] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.439] WriteFile (in: hFile=0x194, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.442] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60d8 | out: hHeap=0x500000) returned 1 [0049.442] CloseHandle (hObject=0x194) returned 1 [0049.442] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0049.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.443] lstrlenW (lpString=".doc") returned 4 [0049.443] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.443] lstrlenW (lpString=".docx") returned 5 [0049.443] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0049.443] lstrlenW (lpString=".pdf") returned 4 [0049.443] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.443] lstrlenW (lpString=".xls") returned 4 [0049.443] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.443] lstrlenW (lpString=".xlsx") returned 5 [0049.443] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0049.443] lstrlenW (lpString=".ppt") returned 4 [0049.443] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.443] lstrlenW (lpString=".zip") returned 4 [0049.443] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.443] lstrlenW (lpString=".rar") returned 4 [0049.443] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.443] lstrlenW (lpString=".bz2") returned 4 [0049.443] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.443] lstrlenW (lpString=".7z") returned 3 [0049.443] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.443] lstrlenW (lpString=".dbf") returned 4 [0049.444] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.444] lstrlenW (lpString=".1cd") returned 4 [0049.444] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.444] lstrlenW (lpString=".jpg") returned 4 [0049.444] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.444] lstrlenW (lpString=".doc") returned 4 [0049.444] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.444] lstrlenW (lpString=".docx") returned 5 [0049.444] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0049.444] lstrlenW (lpString=".pdf") returned 4 [0049.444] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.444] lstrlenW (lpString=".xls") returned 4 [0049.444] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.444] lstrlenW (lpString=".xlsx") returned 5 [0049.444] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0049.444] lstrlenW (lpString=".ppt") returned 4 [0049.444] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.444] lstrlenW (lpString=".zip") returned 4 [0049.444] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.444] lstrlenW (lpString=".rar") returned 4 [0049.444] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.444] lstrlenW (lpString=".bz2") returned 4 [0049.445] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.445] lstrlenW (lpString=".7z") returned 3 [0049.445] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.445] lstrlenW (lpString=".dbf") returned 4 [0049.445] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.445] lstrlenW (lpString=".1cd") returned 4 [0049.445] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0049.445] lstrlenW (lpString=".jpg") returned 4 [0049.445] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.445] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0049.445] lstrlenW (lpString="GrooveLR.cab") returned 12 [0049.445] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.446] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=4095519) returned 1 [0049.446] CloseHandle (hObject=0x194) returned 1 [0049.446] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab")) returned 0x2020 [0049.446] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.446] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0049.447] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.447] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.447] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.447] ReadFile (in: hFile=0x194, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.457] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.457] ReadFile (in: hFile=0x194, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.492] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.492] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.492] ReadFile (in: hFile=0x194, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.077] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.077] WriteFile (in: hFile=0x194, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0050.536] SetEndOfFile (hFile=0x194) returned 1 [0050.537] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f660d0 [0050.541] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.541] WriteFile (in: hFile=0x194, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.543] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.543] WriteFile (in: hFile=0x194, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.545] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.545] WriteFile (in: hFile=0x194, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.547] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f660d0 | out: hHeap=0x500000) returned 1 [0050.547] CloseHandle (hObject=0x194) returned 1 [0050.547] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0050.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.548] lstrlenW (lpString=".doc") returned 4 [0050.548] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.548] lstrlenW (lpString=".docx") returned 5 [0050.548] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0050.548] lstrlenW (lpString=".pdf") returned 4 [0050.548] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.548] lstrlenW (lpString=".xls") returned 4 [0050.548] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.548] lstrlenW (lpString=".xlsx") returned 5 [0050.548] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0050.548] lstrlenW (lpString=".ppt") returned 4 [0050.548] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.548] lstrlenW (lpString=".zip") returned 4 [0050.548] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.548] lstrlenW (lpString=".rar") returned 4 [0050.548] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.548] lstrlenW (lpString=".bz2") returned 4 [0050.548] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.548] lstrlenW (lpString=".7z") returned 3 [0050.548] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.548] lstrlenW (lpString=".dbf") returned 4 [0050.548] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.548] lstrlenW (lpString=".1cd") returned 4 [0050.548] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.549] lstrlenW (lpString=".jpg") returned 4 [0050.549] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.549] lstrlenW (lpString=".doc") returned 4 [0050.549] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.549] lstrlenW (lpString=".docx") returned 5 [0050.549] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0050.549] lstrlenW (lpString=".pdf") returned 4 [0050.549] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.549] lstrlenW (lpString=".xls") returned 4 [0050.549] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.549] lstrlenW (lpString=".xlsx") returned 5 [0050.549] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0050.549] lstrlenW (lpString=".ppt") returned 4 [0050.549] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.549] lstrlenW (lpString=".zip") returned 4 [0050.549] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.549] lstrlenW (lpString=".rar") returned 4 [0050.549] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.549] lstrlenW (lpString=".bz2") returned 4 [0050.549] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.549] lstrlenW (lpString=".7z") returned 3 [0050.549] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.549] lstrlenW (lpString=".dbf") returned 4 [0050.549] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.549] lstrlenW (lpString=".1cd") returned 4 [0050.550] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0050.550] lstrlenW (lpString=".jpg") returned 4 [0050.550] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.550] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0050.550] lstrlenW (lpString="msvcr90.dll") returned 11 [0050.550] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.131] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=655872) returned 1 [0051.131] CloseHandle (hObject=0x1f8) returned 1 [0051.132] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 0x2020 [0051.132] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.132] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.132] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.132] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.132] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0051.132] GetLastError () returned 0x0 [0051.132] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0xa0200, lpOverlapped=0x0) returned 1 [0051.231] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xa0210, lpOverlapped=0x0) returned 1 [0051.247] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.247] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.247] SetEndOfFile (hFile=0x218) returned 1 [0051.248] CloseHandle (hObject=0x218) returned 1 [0051.248] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.248] SetEndOfFile (hFile=0x1f8) returned 1 [0051.404] CloseHandle (hObject=0x1f8) returned 1 [0051.404] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0051.405] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 1 [0051.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.405] lstrlenW (lpString=".doc") returned 4 [0051.405] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.405] lstrlenW (lpString=".docx") returned 5 [0051.405] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0051.405] lstrlenW (lpString=".pdf") returned 4 [0051.405] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.405] lstrlenW (lpString=".xls") returned 4 [0051.405] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.405] lstrlenW (lpString=".xlsx") returned 5 [0051.405] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0051.405] lstrlenW (lpString=".ppt") returned 4 [0051.405] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.405] lstrlenW (lpString=".zip") returned 4 [0051.405] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.405] lstrlenW (lpString=".rar") returned 4 [0051.405] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.405] lstrlenW (lpString=".bz2") returned 4 [0051.405] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.405] lstrlenW (lpString=".7z") returned 3 [0051.405] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.405] lstrlenW (lpString=".dbf") returned 4 [0051.406] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.406] lstrlenW (lpString=".1cd") returned 4 [0051.406] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.406] lstrlenW (lpString=".jpg") returned 4 [0051.406] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.406] lstrlenW (lpString=".doc") returned 4 [0051.406] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.406] lstrlenW (lpString=".docx") returned 5 [0051.406] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0051.406] lstrlenW (lpString=".pdf") returned 4 [0051.406] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.406] lstrlenW (lpString=".xls") returned 4 [0051.406] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.406] lstrlenW (lpString=".xlsx") returned 5 [0051.406] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0051.406] lstrlenW (lpString=".ppt") returned 4 [0051.406] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.406] lstrlenW (lpString=".zip") returned 4 [0051.406] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.406] lstrlenW (lpString=".rar") returned 4 [0051.406] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.406] lstrlenW (lpString=".bz2") returned 4 [0051.406] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.406] lstrlenW (lpString=".7z") returned 3 [0051.406] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.406] lstrlenW (lpString=".dbf") returned 4 [0051.406] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.406] lstrlenW (lpString=".1cd") returned 4 [0051.406] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0051.407] lstrlenW (lpString=".jpg") returned 4 [0051.407] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.407] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0051.407] lstrlenW (lpString="AccLR.cab") returned 9 [0051.407] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0051.690] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=28016276) returned 1 [0051.690] CloseHandle (hObject=0x208) returned 1 [0051.690] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0x2020 [0051.690] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.690] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0051.691] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0051.691] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.691] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.691] ReadFile (in: hFile=0x208, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.713] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.713] ReadFile (in: hFile=0x208, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.760] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.760] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.760] ReadFile (in: hFile=0x208, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.817] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.818] WriteFile (in: hFile=0x208, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0052.030] SetEndOfFile (hFile=0x208) returned 1 [0052.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fc60d8 [0052.148] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.148] WriteFile (in: hFile=0x208, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.150] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.150] WriteFile (in: hFile=0x208, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.153] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.153] WriteFile (in: hFile=0x208, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.155] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fc60d8 | out: hHeap=0x500000) returned 1 [0052.155] CloseHandle (hObject=0x208) returned 1 [0052.156] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.156] lstrlenW (lpString=".doc") returned 4 [0052.156] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.156] lstrlenW (lpString=".docx") returned 5 [0052.156] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0052.156] lstrlenW (lpString=".pdf") returned 4 [0052.156] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.156] lstrlenW (lpString=".xls") returned 4 [0052.156] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.156] lstrlenW (lpString=".xlsx") returned 5 [0052.156] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0052.156] lstrlenW (lpString=".ppt") returned 4 [0052.156] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.156] lstrlenW (lpString=".zip") returned 4 [0052.156] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.156] lstrlenW (lpString=".rar") returned 4 [0052.157] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.157] lstrlenW (lpString=".bz2") returned 4 [0052.157] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.157] lstrlenW (lpString=".7z") returned 3 [0052.157] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.157] lstrlenW (lpString=".dbf") returned 4 [0052.157] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.157] lstrlenW (lpString=".1cd") returned 4 [0052.157] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.157] lstrlenW (lpString=".jpg") returned 4 [0052.157] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.157] lstrlenW (lpString=".doc") returned 4 [0052.157] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.157] lstrlenW (lpString=".docx") returned 5 [0052.157] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0052.157] lstrlenW (lpString=".pdf") returned 4 [0052.157] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.157] lstrlenW (lpString=".xls") returned 4 [0052.157] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.157] lstrlenW (lpString=".xlsx") returned 5 [0052.157] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0052.158] lstrlenW (lpString=".ppt") returned 4 [0052.158] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.158] lstrlenW (lpString=".zip") returned 4 [0052.158] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.158] lstrlenW (lpString=".rar") returned 4 [0052.158] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.158] lstrlenW (lpString=".bz2") returned 4 [0052.158] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.158] lstrlenW (lpString=".7z") returned 3 [0052.158] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.158] lstrlenW (lpString=".dbf") returned 4 [0052.158] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.158] lstrlenW (lpString=".1cd") returned 4 [0052.158] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0052.158] lstrlenW (lpString=".jpg") returned 4 [0052.158] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.158] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0052.158] lstrlenW (lpString="PidGenX.dll") returned 11 [0052.158] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0052.159] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=1463568) returned 1 [0052.159] CloseHandle (hObject=0x208) returned 1 [0052.159] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0052.159] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.159] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0052.159] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.159] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.159] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0052.162] GetLastError () returned 0x0 [0052.162] ReadFile (in: hFile=0x208, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0052.202] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0052.376] ReadFile (in: hFile=0x208, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x65520, lpOverlapped=0x0) returned 1 [0052.651] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0052.662] ReadFile (in: hFile=0x208, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.662] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.662] SetEndOfFile (hFile=0x218) returned 1 [0052.662] CloseHandle (hObject=0x218) returned 1 [0052.662] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.662] SetEndOfFile (hFile=0x208) returned 1 [0052.666] CloseHandle (hObject=0x208) returned 1 [0052.666] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.666] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0052.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.666] lstrlenW (lpString=".doc") returned 4 [0052.666] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.666] lstrlenW (lpString=".docx") returned 5 [0052.667] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0052.667] lstrlenW (lpString=".pdf") returned 4 [0052.667] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.667] lstrlenW (lpString=".xls") returned 4 [0052.667] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.667] lstrlenW (lpString=".xlsx") returned 5 [0052.667] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0052.667] lstrlenW (lpString=".ppt") returned 4 [0052.667] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.667] lstrlenW (lpString=".zip") returned 4 [0052.667] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.667] lstrlenW (lpString=".rar") returned 4 [0052.667] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.667] lstrlenW (lpString=".bz2") returned 4 [0052.667] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.667] lstrlenW (lpString=".7z") returned 3 [0052.667] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.667] lstrlenW (lpString=".dbf") returned 4 [0052.667] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.667] lstrlenW (lpString=".1cd") returned 4 [0052.667] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.667] lstrlenW (lpString=".jpg") returned 4 [0052.667] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.667] lstrlenW (lpString=".doc") returned 4 [0052.667] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.667] lstrlenW (lpString=".docx") returned 5 [0052.667] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0052.667] lstrlenW (lpString=".pdf") returned 4 [0052.668] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.668] lstrlenW (lpString=".xls") returned 4 [0052.668] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.668] lstrlenW (lpString=".xlsx") returned 5 [0052.668] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0052.668] lstrlenW (lpString=".ppt") returned 4 [0052.668] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.668] lstrlenW (lpString=".zip") returned 4 [0052.668] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.668] lstrlenW (lpString=".rar") returned 4 [0052.668] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.668] lstrlenW (lpString=".bz2") returned 4 [0052.668] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.668] lstrlenW (lpString=".7z") returned 3 [0052.668] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.668] lstrlenW (lpString=".dbf") returned 4 [0052.668] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.668] lstrlenW (lpString=".1cd") returned 4 [0052.668] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.668] lstrlenW (lpString=".jpg") returned 4 [0052.668] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.668] lstrcmpiW (lpString1=".exe", lpString2=".NcOv") returned -1 [0052.668] lstrlenW (lpString="setup.exe") returned 9 [0052.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0052.669] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=1377656) returned 1 [0052.669] CloseHandle (hObject=0x208) returned 1 [0052.669] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0052.669] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.669] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0052.669] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.669] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.669] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0052.669] GetLastError () returned 0x0 [0052.669] ReadFile (in: hFile=0x208, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0052.929] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0052.951] ReadFile (in: hFile=0x208, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x50588, lpOverlapped=0x0) returned 1 [0053.058] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0053.067] ReadFile (in: hFile=0x208, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.067] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.068] SetEndOfFile (hFile=0x218) returned 1 [0053.068] CloseHandle (hObject=0x218) returned 1 [0053.068] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.068] SetEndOfFile (hFile=0x208) returned 1 [0053.071] CloseHandle (hObject=0x208) returned 1 [0053.072] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0053.072] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0053.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.072] lstrlenW (lpString=".doc") returned 4 [0053.072] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0053.072] lstrlenW (lpString=".docx") returned 5 [0053.072] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0053.072] lstrlenW (lpString=".pdf") returned 4 [0053.072] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0053.072] lstrlenW (lpString=".xls") returned 4 [0053.072] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0053.072] lstrlenW (lpString=".xlsx") returned 5 [0053.072] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0053.072] lstrlenW (lpString=".ppt") returned 4 [0053.072] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0053.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.073] lstrlenW (lpString=".zip") returned 4 [0053.073] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0053.073] lstrlenW (lpString=".rar") returned 4 [0053.073] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0053.073] lstrlenW (lpString=".bz2") returned 4 [0053.073] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0053.073] lstrlenW (lpString=".7z") returned 3 [0053.073] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0053.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.073] lstrlenW (lpString=".dbf") returned 4 [0053.073] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0053.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.073] lstrlenW (lpString=".1cd") returned 4 [0053.073] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0053.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.073] lstrlenW (lpString=".jpg") returned 4 [0053.073] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0053.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.073] lstrlenW (lpString=".doc") returned 4 [0053.073] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0053.073] lstrlenW (lpString=".docx") returned 5 [0053.073] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0053.073] lstrlenW (lpString=".pdf") returned 4 [0053.073] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0053.073] lstrlenW (lpString=".xls") returned 4 [0053.073] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0053.073] lstrlenW (lpString=".xlsx") returned 5 [0053.073] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0053.073] lstrlenW (lpString=".ppt") returned 4 [0053.073] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0053.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.073] lstrlenW (lpString=".zip") returned 4 [0053.073] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0053.073] lstrlenW (lpString=".rar") returned 4 [0053.074] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0053.074] lstrlenW (lpString=".bz2") returned 4 [0053.074] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0053.074] lstrlenW (lpString=".7z") returned 3 [0053.074] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0053.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.074] lstrlenW (lpString=".dbf") returned 4 [0053.074] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0053.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.074] lstrlenW (lpString=".1cd") returned 4 [0053.074] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0053.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.074] lstrlenW (lpString=".jpg") returned 4 [0053.074] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0053.074] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0053.074] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0053.074] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.113] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=36233052) returned 1 [0053.114] CloseHandle (hObject=0x218) returned 1 [0053.114] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0053.114] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.114] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0053.115] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.115] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0053.115] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.115] ReadFile (in: hFile=0x218, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.433] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.433] ReadFile (in: hFile=0x218, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.440] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.440] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.440] ReadFile (in: hFile=0x218, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.458] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.458] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0053.481] SetEndOfFile (hFile=0x218) returned 1 [0053.481] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0053.575] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.575] WriteFile (in: hFile=0x218, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.576] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.576] WriteFile (in: hFile=0x218, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.577] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.577] WriteFile (in: hFile=0x218, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.579] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0053.579] CloseHandle (hObject=0x218) returned 1 [0053.579] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0053.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.580] lstrlenW (lpString=".doc") returned 4 [0053.580] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.580] lstrlenW (lpString=".docx") returned 5 [0053.580] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0053.580] lstrlenW (lpString=".pdf") returned 4 [0053.580] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.580] lstrlenW (lpString=".xls") returned 4 [0053.580] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.580] lstrlenW (lpString=".xlsx") returned 5 [0053.580] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0053.580] lstrlenW (lpString=".ppt") returned 4 [0053.580] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.580] lstrlenW (lpString=".zip") returned 4 [0053.580] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.580] lstrlenW (lpString=".rar") returned 4 [0053.580] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.580] lstrlenW (lpString=".bz2") returned 4 [0053.580] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.580] lstrlenW (lpString=".7z") returned 3 [0053.581] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.581] lstrlenW (lpString=".dbf") returned 4 [0053.581] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.581] lstrlenW (lpString=".1cd") returned 4 [0053.581] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.581] lstrlenW (lpString=".jpg") returned 4 [0053.581] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.581] lstrlenW (lpString=".doc") returned 4 [0053.581] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.581] lstrlenW (lpString=".docx") returned 5 [0053.581] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0053.581] lstrlenW (lpString=".pdf") returned 4 [0053.581] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.581] lstrlenW (lpString=".xls") returned 4 [0053.581] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.581] lstrlenW (lpString=".xlsx") returned 5 [0053.581] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0053.581] lstrlenW (lpString=".ppt") returned 4 [0053.581] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.581] lstrlenW (lpString=".zip") returned 4 [0053.581] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.581] lstrlenW (lpString=".rar") returned 4 [0053.581] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.581] lstrlenW (lpString=".bz2") returned 4 [0053.581] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.581] lstrlenW (lpString=".7z") returned 3 [0053.581] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.582] lstrlenW (lpString=".dbf") returned 4 [0053.582] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.582] lstrlenW (lpString=".1cd") returned 4 [0053.582] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.582] lstrlenW (lpString=".jpg") returned 4 [0053.582] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.582] lstrcmpiW (lpString1=".xrm-ms", lpString2=".NcOv") returned 1 [0053.582] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0053.582] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0053.596] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=715834) returned 1 [0053.596] CloseHandle (hObject=0x214) returned 1 [0053.596] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0053.597] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.597] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0053.597] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.597] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.597] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.597] GetLastError () returned 0x0 [0053.597] ReadFile (in: hFile=0x214, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0053.617] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0054.505] ReadFile (in: hFile=0x214, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.506] WriteFile (in: hFile=0x218, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0x104, lpOverlapped=0x0) returned 1 [0054.506] SetEndOfFile (hFile=0x218) returned 1 [0054.507] CloseHandle (hObject=0x218) returned 1 [0054.507] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.507] SetEndOfFile (hFile=0x214) returned 1 [0054.515] CloseHandle (hObject=0x214) returned 1 [0054.515] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0054.516] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0054.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.516] lstrlenW (lpString=".doc") returned 4 [0054.516] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0054.516] lstrlenW (lpString=".docx") returned 5 [0054.516] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0054.516] lstrlenW (lpString=".pdf") returned 4 [0054.516] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0054.516] lstrlenW (lpString=".xls") returned 4 [0054.516] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0054.516] lstrlenW (lpString=".xlsx") returned 5 [0054.516] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0054.516] lstrlenW (lpString=".ppt") returned 4 [0054.516] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0054.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.516] lstrlenW (lpString=".zip") returned 4 [0054.516] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0054.516] lstrlenW (lpString=".rar") returned 4 [0054.517] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0054.517] lstrlenW (lpString=".bz2") returned 4 [0054.517] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0054.517] lstrlenW (lpString=".7z") returned 3 [0054.517] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0054.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.517] lstrlenW (lpString=".dbf") returned 4 [0054.517] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0054.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.517] lstrlenW (lpString=".1cd") returned 4 [0054.517] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0054.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.517] lstrlenW (lpString=".jpg") returned 4 [0054.517] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0054.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.517] lstrlenW (lpString=".doc") returned 4 [0054.517] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0054.517] lstrlenW (lpString=".docx") returned 5 [0054.517] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0054.517] lstrlenW (lpString=".pdf") returned 4 [0054.517] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0054.517] lstrlenW (lpString=".xls") returned 4 [0054.517] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0054.517] lstrlenW (lpString=".xlsx") returned 5 [0054.517] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0054.517] lstrlenW (lpString=".ppt") returned 4 [0054.517] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0054.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.518] lstrlenW (lpString=".zip") returned 4 [0054.518] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0054.518] lstrlenW (lpString=".rar") returned 4 [0054.518] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0054.518] lstrlenW (lpString=".bz2") returned 4 [0054.518] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0054.518] lstrlenW (lpString=".7z") returned 3 [0054.518] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0054.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.518] lstrlenW (lpString=".dbf") returned 4 [0054.518] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0054.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.518] lstrlenW (lpString=".1cd") returned 4 [0054.518] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0054.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0054.518] lstrlenW (lpString=".jpg") returned 4 [0054.518] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0054.518] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0054.518] lstrlenW (lpString="Office32WW.msi") returned 14 [0054.519] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0054.519] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=1992192) returned 1 [0054.519] CloseHandle (hObject=0x214) returned 1 [0054.519] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0054.519] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0054.520] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0054.520] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0054.520] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0054.521] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.521] ReadFile (in: hFile=0x214, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.531] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.531] ReadFile (in: hFile=0x214, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.641] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0054.641] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.641] ReadFile (in: hFile=0x214, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.738] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.738] WriteFile (in: hFile=0x214, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0055.005] SetEndOfFile (hFile=0x214) returned 1 [0055.006] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0055.006] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.006] WriteFile (in: hFile=0x214, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.008] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.008] WriteFile (in: hFile=0x214, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.010] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.010] WriteFile (in: hFile=0x214, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0055.013] CloseHandle (hObject=0x214) returned 1 [0055.013] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0055.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.014] lstrlenW (lpString=".doc") returned 4 [0055.014] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0055.014] lstrlenW (lpString=".docx") returned 5 [0055.014] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0055.014] lstrlenW (lpString=".pdf") returned 4 [0055.014] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0055.014] lstrlenW (lpString=".xls") returned 4 [0055.014] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0055.014] lstrlenW (lpString=".xlsx") returned 5 [0055.014] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0055.014] lstrlenW (lpString=".ppt") returned 4 [0055.014] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0055.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.014] lstrlenW (lpString=".zip") returned 4 [0055.014] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0055.014] lstrlenW (lpString=".rar") returned 4 [0055.014] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0055.014] lstrlenW (lpString=".bz2") returned 4 [0055.014] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0055.014] lstrlenW (lpString=".7z") returned 3 [0055.014] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0055.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.014] lstrlenW (lpString=".dbf") returned 4 [0055.014] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0055.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.015] lstrlenW (lpString=".1cd") returned 4 [0055.015] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0055.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.015] lstrlenW (lpString=".jpg") returned 4 [0055.015] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0055.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.015] lstrlenW (lpString=".doc") returned 4 [0055.015] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0055.015] lstrlenW (lpString=".docx") returned 5 [0055.015] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0055.015] lstrlenW (lpString=".pdf") returned 4 [0055.015] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0055.015] lstrlenW (lpString=".xls") returned 4 [0055.015] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0055.015] lstrlenW (lpString=".xlsx") returned 5 [0055.015] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0055.015] lstrlenW (lpString=".ppt") returned 4 [0055.015] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0055.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.015] lstrlenW (lpString=".zip") returned 4 [0055.015] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0055.015] lstrlenW (lpString=".rar") returned 4 [0055.015] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0055.015] lstrlenW (lpString=".bz2") returned 4 [0055.016] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0055.016] lstrlenW (lpString=".7z") returned 3 [0055.016] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0055.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.016] lstrlenW (lpString=".dbf") returned 4 [0055.016] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0055.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.016] lstrlenW (lpString=".1cd") returned 4 [0055.016] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0055.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0055.016] lstrlenW (lpString=".jpg") returned 4 [0055.016] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0055.016] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0055.016] lstrlenW (lpString="osetup.dll") returned 10 [0055.016] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0055.111] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=7378792) returned 1 [0055.111] CloseHandle (hObject=0x204) returned 1 [0055.111] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0055.111] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.111] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0055.112] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0055.112] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0055.112] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.112] ReadFile (in: hFile=0x204, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.147] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.147] ReadFile (in: hFile=0x204, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.160] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0055.160] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.160] ReadFile (in: hFile=0x204, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.491] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.491] WriteFile (in: hFile=0x204, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0055.511] SetEndOfFile (hFile=0x204) returned 1 [0055.512] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0055.512] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.512] WriteFile (in: hFile=0x204, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.791] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.791] WriteFile (in: hFile=0x204, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.794] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.794] WriteFile (in: hFile=0x204, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.796] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0055.876] CloseHandle (hObject=0x204) returned 1 [0056.215] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0056.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.215] lstrlenW (lpString=".doc") returned 4 [0056.215] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.215] lstrlenW (lpString=".docx") returned 5 [0056.215] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0056.215] lstrlenW (lpString=".pdf") returned 4 [0056.215] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.215] lstrlenW (lpString=".xls") returned 4 [0056.215] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.215] lstrlenW (lpString=".xlsx") returned 5 [0056.215] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0056.215] lstrlenW (lpString=".ppt") returned 4 [0056.215] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.215] lstrlenW (lpString=".zip") returned 4 [0056.215] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.216] lstrlenW (lpString=".rar") returned 4 [0056.216] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.216] lstrlenW (lpString=".bz2") returned 4 [0056.216] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.216] lstrlenW (lpString=".7z") returned 3 [0056.216] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.216] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.216] lstrlenW (lpString=".dbf") returned 4 [0056.216] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.216] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.216] lstrlenW (lpString=".1cd") returned 4 [0056.216] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.216] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.216] lstrlenW (lpString=".jpg") returned 4 [0056.216] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.216] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.216] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.216] lstrlenW (lpString=".doc") returned 4 [0056.216] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.216] lstrlenW (lpString=".docx") returned 5 [0056.216] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0056.216] lstrlenW (lpString=".pdf") returned 4 [0056.216] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.216] lstrlenW (lpString=".xls") returned 4 [0056.216] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.216] lstrlenW (lpString=".xlsx") returned 5 [0056.216] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0056.216] lstrlenW (lpString=".ppt") returned 4 [0056.216] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.217] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.217] lstrlenW (lpString=".zip") returned 4 [0056.217] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.217] lstrlenW (lpString=".rar") returned 4 [0056.217] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.217] lstrlenW (lpString=".bz2") returned 4 [0056.217] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.217] lstrlenW (lpString=".7z") returned 3 [0056.217] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.217] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.217] lstrlenW (lpString=".dbf") returned 4 [0056.217] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.217] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.217] lstrlenW (lpString=".1cd") returned 4 [0056.217] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.217] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0056.217] lstrlenW (lpString=".jpg") returned 4 [0056.217] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.217] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0056.217] lstrlenW (lpString="VisiorWW.msi") returned 12 [0056.217] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0056.218] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=12060672) returned 1 [0056.218] CloseHandle (hObject=0x1ac) returned 1 [0056.218] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi")) returned 0x2020 [0056.218] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0056.218] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0056.219] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0056.219] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0x0) returned 1 [0056.219] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.219] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a70058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.223] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.223] ReadFile (in: hFile=0x1ac, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.236] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x302fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0056.236] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x302fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.236] ReadFile (in: hFile=0x1ac, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x302fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x302fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.256] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.256] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x302fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0056.505] SetEndOfFile (hFile=0x1ac) returned 1 [0056.651] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0056.656] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.657] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.658] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.658] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.667] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x302fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.667] WriteFile (in: hFile=0x1ac, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x302fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x302fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.670] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0056.670] CloseHandle (hObject=0x1ac) returned 1 [0056.670] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0056.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.671] lstrlenW (lpString=".doc") returned 4 [0056.671] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.671] lstrlenW (lpString=".docx") returned 5 [0056.671] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0056.671] lstrlenW (lpString=".pdf") returned 4 [0056.671] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.671] lstrlenW (lpString=".xls") returned 4 [0056.671] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.671] lstrlenW (lpString=".xlsx") returned 5 [0056.671] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0056.671] lstrlenW (lpString=".ppt") returned 4 [0056.671] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.671] lstrlenW (lpString=".zip") returned 4 [0056.671] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.671] lstrlenW (lpString=".rar") returned 4 [0056.671] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.671] lstrlenW (lpString=".bz2") returned 4 [0056.671] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.671] lstrlenW (lpString=".7z") returned 3 [0056.671] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.671] lstrlenW (lpString=".dbf") returned 4 [0056.671] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.671] lstrlenW (lpString=".1cd") returned 4 [0056.671] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.672] lstrlenW (lpString=".jpg") returned 4 [0056.672] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.672] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.672] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.672] lstrlenW (lpString=".doc") returned 4 [0056.672] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.672] lstrlenW (lpString=".docx") returned 5 [0056.672] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0056.672] lstrlenW (lpString=".pdf") returned 4 [0056.672] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.672] lstrlenW (lpString=".xls") returned 4 [0056.672] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.672] lstrlenW (lpString=".xlsx") returned 5 [0056.672] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0056.672] lstrlenW (lpString=".ppt") returned 4 [0056.672] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.672] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.672] lstrlenW (lpString=".zip") returned 4 [0056.672] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.672] lstrlenW (lpString=".rar") returned 4 [0056.672] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.672] lstrlenW (lpString=".bz2") returned 4 [0056.672] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.672] lstrlenW (lpString=".7z") returned 3 [0056.672] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.672] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.672] lstrlenW (lpString=".dbf") returned 4 [0056.672] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.672] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.672] lstrlenW (lpString=".1cd") returned 4 [0056.672] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.672] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0056.672] lstrlenW (lpString=".jpg") returned 4 [0056.672] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.673] lstrcmpiW (lpString1=".EXE", lpString2=".NcOv") returned -1 [0056.673] lstrlenW (lpString="DW20.EXE") returned 8 [0056.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0058.115] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=994184) returned 1 [0058.116] CloseHandle (hObject=0x1c4) returned 1 [0058.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 0x20 [0058.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0058.116] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0058.116] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.116] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.116] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0058.117] GetLastError () returned 0x0 [0058.117] ReadFile (in: hFile=0x1c4, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0xf2b88, lpOverlapped=0x0) returned 1 [0058.973] WriteFile (in: hFile=0x210, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xf2b90, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xf2b90, lpOverlapped=0x0) returned 1 [0059.125] ReadFile (in: hFile=0x1c4, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.126] WriteFile (in: hFile=0x210, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0059.126] SetEndOfFile (hFile=0x210) returned 1 [0059.126] CloseHandle (hObject=0x210) returned 1 [0059.126] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.126] SetEndOfFile (hFile=0x1c4) returned 1 [0059.138] CloseHandle (hObject=0x1c4) returned 1 [0059.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0059.138] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 1 [0059.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.139] lstrlenW (lpString=".doc") returned 4 [0059.139] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0059.139] lstrlenW (lpString=".docx") returned 5 [0059.139] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0059.139] lstrlenW (lpString=".pdf") returned 4 [0059.139] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0059.139] lstrlenW (lpString=".xls") returned 4 [0059.139] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0059.139] lstrlenW (lpString=".xlsx") returned 5 [0059.139] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0059.139] lstrlenW (lpString=".ppt") returned 4 [0059.139] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0059.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.139] lstrlenW (lpString=".zip") returned 4 [0059.139] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0059.139] lstrlenW (lpString=".rar") returned 4 [0059.140] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0059.140] lstrlenW (lpString=".bz2") returned 4 [0059.140] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0059.140] lstrlenW (lpString=".7z") returned 3 [0059.140] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0059.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.140] lstrlenW (lpString=".dbf") returned 4 [0059.140] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0059.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.140] lstrlenW (lpString=".1cd") returned 4 [0059.140] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0059.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.140] lstrlenW (lpString=".jpg") returned 4 [0059.140] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0059.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.140] lstrlenW (lpString=".doc") returned 4 [0059.140] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0059.140] lstrlenW (lpString=".docx") returned 5 [0059.140] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0059.140] lstrlenW (lpString=".pdf") returned 4 [0059.140] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0059.140] lstrlenW (lpString=".xls") returned 4 [0059.140] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0059.140] lstrlenW (lpString=".xlsx") returned 5 [0059.140] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0059.140] lstrlenW (lpString=".ppt") returned 4 [0059.141] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0059.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.141] lstrlenW (lpString=".zip") returned 4 [0059.141] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0059.141] lstrlenW (lpString=".rar") returned 4 [0059.141] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0059.141] lstrlenW (lpString=".bz2") returned 4 [0059.141] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0059.141] lstrlenW (lpString=".7z") returned 3 [0059.141] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0059.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.141] lstrlenW (lpString=".dbf") returned 4 [0059.141] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0059.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.141] lstrlenW (lpString=".1cd") returned 4 [0059.141] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0059.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0059.141] lstrlenW (lpString=".jpg") returned 4 [0059.141] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0059.141] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0059.141] lstrlenW (lpString="odffilt.dll") returned 11 [0059.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0060.586] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=1312656) returned 1 [0060.586] CloseHandle (hObject=0x19c) returned 1 [0060.586] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 0x20 [0060.594] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0060.595] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0060.629] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.629] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0060.630] GetLastError () returned 0x0 [0060.630] ReadFile (in: hFile=0x19c, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0060.665] WriteFile (in: hFile=0x224, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0061.015] ReadFile (in: hFile=0x19c, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x407a0, lpOverlapped=0x0) returned 1 [0061.031] WriteFile (in: hFile=0x224, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0x407b0, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0x407b0, lpOverlapped=0x0) returned 1 [0061.580] ReadFile (in: hFile=0x19c, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.580] WriteFile (in: hFile=0x224, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xea, lpOverlapped=0x0) returned 1 [0061.581] SetEndOfFile (hFile=0x224) returned 1 [0061.585] CloseHandle (hObject=0x224) returned 1 [0061.587] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.587] SetEndOfFile (hFile=0x19c) returned 1 [0061.592] CloseHandle (hObject=0x19c) returned 1 [0061.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0061.643] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 1 [0061.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.643] lstrlenW (lpString=".doc") returned 4 [0061.643] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0061.643] lstrlenW (lpString=".docx") returned 5 [0061.643] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0061.643] lstrlenW (lpString=".pdf") returned 4 [0061.644] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0061.644] lstrlenW (lpString=".xls") returned 4 [0061.644] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0061.644] lstrlenW (lpString=".xlsx") returned 5 [0061.644] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0061.644] lstrlenW (lpString=".ppt") returned 4 [0061.644] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0061.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.644] lstrlenW (lpString=".zip") returned 4 [0061.644] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0061.644] lstrlenW (lpString=".rar") returned 4 [0061.644] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0061.644] lstrlenW (lpString=".bz2") returned 4 [0061.644] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0061.644] lstrlenW (lpString=".7z") returned 3 [0061.644] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0061.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.644] lstrlenW (lpString=".dbf") returned 4 [0061.644] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0061.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.644] lstrlenW (lpString=".1cd") returned 4 [0061.644] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0061.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.645] lstrlenW (lpString=".jpg") returned 4 [0061.645] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0061.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.645] lstrlenW (lpString=".doc") returned 4 [0061.645] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0061.645] lstrlenW (lpString=".docx") returned 5 [0061.645] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0061.645] lstrlenW (lpString=".pdf") returned 4 [0061.645] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0061.645] lstrlenW (lpString=".xls") returned 4 [0061.645] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0061.645] lstrlenW (lpString=".xlsx") returned 5 [0061.645] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0061.645] lstrlenW (lpString=".ppt") returned 4 [0061.645] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0061.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.645] lstrlenW (lpString=".zip") returned 4 [0061.645] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0061.645] lstrlenW (lpString=".rar") returned 4 [0061.645] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0061.645] lstrlenW (lpString=".bz2") returned 4 [0061.645] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0061.645] lstrlenW (lpString=".7z") returned 3 [0061.645] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0061.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.646] lstrlenW (lpString=".dbf") returned 4 [0061.646] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0061.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.646] lstrlenW (lpString=".1cd") returned 4 [0061.646] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0061.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0061.646] lstrlenW (lpString=".jpg") returned 4 [0061.646] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0061.646] lstrcmpiW (lpString1=".FNT", lpString2=".NcOv") returned -1 [0061.646] lstrlenW (lpString="CGMIMP32.FNT") returned 12 [0061.646] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0064.118] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x302ff1c | out: lpFileSize=0x302ff1c*=606062) returned 1 [0064.118] CloseHandle (hObject=0x208) returned 1 [0064.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 0x20 [0064.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0064.118] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0064.118] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.119] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x302fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0064.119] GetLastError () returned 0x0 [0064.119] ReadFile (in: hFile=0x208, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x93f6e, lpOverlapped=0x0) returned 1 [0064.220] WriteFile (in: hFile=0x214, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0x93f70, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0x93f70, lpOverlapped=0x0) returned 1 [0064.235] ReadFile (in: hFile=0x208, lpBuffer=0x3a70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x302fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesRead=0x302fed4*=0x0, lpOverlapped=0x0) returned 1 [0064.235] WriteFile (in: hFile=0x214, lpBuffer=0x3a70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x302fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a70020*, lpNumberOfBytesWritten=0x302fc9c*=0xec, lpOverlapped=0x0) returned 1 [0064.235] SetEndOfFile (hFile=0x214) Thread: id = 16 os_tid = 0xb04 [0037.777] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x3791088 [0037.777] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x37a1090 [0037.778] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a838 [0037.778] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x55ace8 [0037.778] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a850 [0037.778] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x3b80020 [0037.778] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a8f8 [0037.778] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a8f8, Size=0x20) returned 0x5a35b0 [0037.778] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a8f8 [0037.778] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a8f8, Size=0x20) returned 0x5a3600 [0037.778] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0037.778] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0037.778] Wow64DisableWow64FsRedirection (in: OldValue=0x327ff58 | out: OldValue=0x327ff58*=0x0) returned 1 [0037.778] lstrlenW (lpString="kernel32.dll") returned 12 [0037.778] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a35b0 | out: hHeap=0x500000) returned 1 [0037.779] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0037.779] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a3600 | out: hHeap=0x500000) returned 1 [0037.779] Sleep (dwMilliseconds=0x64) [0037.985] lstrcmpiW (lpString1=".ttf", lpString2=".NcOv") returned 1 [0037.985] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0037.985] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0038.029] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=1984228) returned 1 [0038.029] CloseHandle (hObject=0x1b0) returned 1 [0038.029] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0038.029] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.029] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0038.029] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.029] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.029] lstrlenW (lpString=".doc") returned 4 [0038.029] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0038.029] lstrlenW (lpString=".docx") returned 5 [0038.029] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0038.029] lstrlenW (lpString=".pdf") returned 4 [0038.029] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0038.030] lstrlenW (lpString=".xls") returned 4 [0038.030] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0038.030] lstrlenW (lpString=".xlsx") returned 5 [0038.030] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0038.030] lstrlenW (lpString=".ppt") returned 4 [0038.039] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0038.039] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.039] lstrlenW (lpString=".zip") returned 4 [0038.039] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0038.039] lstrlenW (lpString=".rar") returned 4 [0038.039] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0038.039] lstrlenW (lpString=".bz2") returned 4 [0038.039] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0038.039] lstrlenW (lpString=".7z") returned 3 [0038.039] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0038.039] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.039] lstrlenW (lpString=".dbf") returned 4 [0038.039] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0038.039] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.039] lstrlenW (lpString=".1cd") returned 4 [0038.039] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0038.039] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.039] lstrlenW (lpString=".jpg") returned 4 [0038.039] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0038.040] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.040] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.040] lstrlenW (lpString=".doc") returned 4 [0038.040] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0038.040] lstrlenW (lpString=".docx") returned 5 [0038.040] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0038.040] lstrlenW (lpString=".pdf") returned 4 [0038.040] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0038.040] lstrlenW (lpString=".xls") returned 4 [0038.040] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0038.040] lstrlenW (lpString=".xlsx") returned 5 [0038.040] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0038.040] lstrlenW (lpString=".ppt") returned 4 [0038.040] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0038.040] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.040] lstrlenW (lpString=".zip") returned 4 [0038.040] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0038.040] lstrlenW (lpString=".rar") returned 4 [0038.040] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0038.040] lstrlenW (lpString=".bz2") returned 4 [0038.040] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0038.040] lstrlenW (lpString=".7z") returned 3 [0038.040] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0038.040] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.040] lstrlenW (lpString=".dbf") returned 4 [0038.040] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0038.040] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.040] lstrlenW (lpString=".1cd") returned 4 [0038.040] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0038.040] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0038.040] lstrlenW (lpString=".jpg") returned 4 [0038.040] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0038.041] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0038.041] lstrlenW (lpString="PptLR.cab") returned 9 [0038.041] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0038.305] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=70361744) returned 1 [0038.306] CloseHandle (hObject=0x1bc) returned 1 [0038.306] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0038.306] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.306] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0038.306] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0038.306] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0x0) returned 1 [0038.306] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.306] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b80058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.487] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.487] ReadFile (in: hFile=0x1bc, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.500] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.500] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.500] ReadFile (in: hFile=0x1bc, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.521] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.522] WriteFile (in: hFile=0x1bc, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x327fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0038.821] SetEndOfFile (hFile=0x1bc) returned 1 [0038.822] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f05098 [0038.826] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.826] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.827] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.827] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.827] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.828] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.829] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f05098 | out: hHeap=0x500000) returned 1 [0038.830] CloseHandle (hObject=0x1bc) returned 1 [0042.154] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0042.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.154] lstrlenW (lpString=".doc") returned 4 [0042.154] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.154] lstrlenW (lpString=".docx") returned 5 [0042.154] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.154] lstrlenW (lpString=".pdf") returned 4 [0042.154] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.154] lstrlenW (lpString=".xls") returned 4 [0042.154] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.154] lstrlenW (lpString=".xlsx") returned 5 [0042.155] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.155] lstrlenW (lpString=".ppt") returned 4 [0042.155] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.155] lstrlenW (lpString=".zip") returned 4 [0042.155] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.155] lstrlenW (lpString=".rar") returned 4 [0042.155] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.155] lstrlenW (lpString=".bz2") returned 4 [0042.155] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.155] lstrlenW (lpString=".7z") returned 3 [0042.155] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.155] lstrlenW (lpString=".dbf") returned 4 [0042.155] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.155] lstrlenW (lpString=".1cd") returned 4 [0042.155] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.155] lstrlenW (lpString=".jpg") returned 4 [0042.155] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.155] lstrlenW (lpString=".doc") returned 4 [0042.155] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.155] lstrlenW (lpString=".docx") returned 5 [0042.155] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.155] lstrlenW (lpString=".pdf") returned 4 [0042.155] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.155] lstrlenW (lpString=".xls") returned 4 [0042.155] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.155] lstrlenW (lpString=".xlsx") returned 5 [0042.155] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.155] lstrlenW (lpString=".ppt") returned 4 [0042.156] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.156] lstrlenW (lpString=".zip") returned 4 [0042.156] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.156] lstrlenW (lpString=".rar") returned 4 [0042.156] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.156] lstrlenW (lpString=".bz2") returned 4 [0042.156] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.156] lstrlenW (lpString=".7z") returned 3 [0042.156] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.156] lstrlenW (lpString=".dbf") returned 4 [0042.156] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.156] lstrlenW (lpString=".1cd") returned 4 [0042.156] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0042.156] lstrlenW (lpString=".jpg") returned 4 [0042.156] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.156] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0042.156] lstrlenW (lpString="WordLR.cab") returned 10 [0042.156] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.157] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=43806141) returned 1 [0042.157] CloseHandle (hObject=0x1bc) returned 1 [0042.157] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0042.157] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0042.157] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0042.158] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.158] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.158] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.158] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b80058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.165] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.165] ReadFile (in: hFile=0x1bc, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.171] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.171] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.171] ReadFile (in: hFile=0x1bc, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.187] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.187] WriteFile (in: hFile=0x1bc, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x327fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0042.202] SetEndOfFile (hFile=0x1bc) returned 1 [0042.203] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f560d0 [0042.203] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.203] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.204] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.204] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.949] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.949] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.952] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f560d0 | out: hHeap=0x500000) returned 1 [0042.952] CloseHandle (hObject=0x1bc) returned 1 [0045.221] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0045.222] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.222] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.222] lstrlenW (lpString=".doc") returned 4 [0045.222] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.222] lstrlenW (lpString=".docx") returned 5 [0045.222] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.222] lstrlenW (lpString=".pdf") returned 4 [0045.222] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.222] lstrlenW (lpString=".xls") returned 4 [0045.222] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.222] lstrlenW (lpString=".xlsx") returned 5 [0045.222] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.222] lstrlenW (lpString=".ppt") returned 4 [0045.222] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.222] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.223] lstrlenW (lpString=".zip") returned 4 [0045.223] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.223] lstrlenW (lpString=".rar") returned 4 [0045.223] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.223] lstrlenW (lpString=".bz2") returned 4 [0045.223] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.223] lstrlenW (lpString=".7z") returned 3 [0045.223] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.223] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.223] lstrlenW (lpString=".dbf") returned 4 [0045.223] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.223] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.223] lstrlenW (lpString=".1cd") returned 4 [0045.223] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.223] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.223] lstrlenW (lpString=".jpg") returned 4 [0045.223] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.223] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.223] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.223] lstrlenW (lpString=".doc") returned 4 [0045.223] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.223] lstrlenW (lpString=".docx") returned 5 [0045.223] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.223] lstrlenW (lpString=".pdf") returned 4 [0045.223] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.223] lstrlenW (lpString=".xls") returned 4 [0045.223] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.223] lstrlenW (lpString=".xlsx") returned 5 [0045.223] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.223] lstrlenW (lpString=".ppt") returned 4 [0045.223] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.223] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.224] lstrlenW (lpString=".zip") returned 4 [0045.224] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.224] lstrlenW (lpString=".rar") returned 4 [0045.224] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.224] lstrlenW (lpString=".bz2") returned 4 [0045.224] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.224] lstrlenW (lpString=".7z") returned 3 [0045.224] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.224] lstrlenW (lpString=".dbf") returned 4 [0045.224] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.224] lstrlenW (lpString=".1cd") returned 4 [0045.224] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0045.224] lstrlenW (lpString=".jpg") returned 4 [0045.224] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.224] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0045.224] lstrlenW (lpString="Proof.msi") returned 9 [0045.224] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0045.656] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=885760) returned 1 [0045.656] CloseHandle (hObject=0x1c4) returned 1 [0045.656] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0x2020 [0045.656] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0045.656] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0045.661] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.662] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.662] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0045.666] GetLastError () returned 0x0 [0045.666] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xd8400, lpOverlapped=0x0) returned 1 [0045.722] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xd8410, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xd8410, lpOverlapped=0x0) returned 1 [0045.978] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.979] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0045.979] SetEndOfFile (hFile=0x1a0) returned 1 [0045.979] CloseHandle (hObject=0x1a0) returned 1 [0045.991] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.991] SetEndOfFile (hFile=0x1c4) returned 1 [0046.001] CloseHandle (hObject=0x1c4) returned 1 [0046.001] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0046.002] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 1 [0046.002] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.002] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.002] lstrlenW (lpString=".doc") returned 4 [0046.002] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.002] lstrlenW (lpString=".docx") returned 5 [0046.002] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0046.002] lstrlenW (lpString=".pdf") returned 4 [0046.002] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.002] lstrlenW (lpString=".xls") returned 4 [0046.002] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.002] lstrlenW (lpString=".xlsx") returned 5 [0046.002] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0046.002] lstrlenW (lpString=".ppt") returned 4 [0046.002] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.002] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.003] lstrlenW (lpString=".zip") returned 4 [0046.003] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.003] lstrlenW (lpString=".rar") returned 4 [0046.003] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.003] lstrlenW (lpString=".bz2") returned 4 [0046.003] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.003] lstrlenW (lpString=".7z") returned 3 [0046.003] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.003] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.003] lstrlenW (lpString=".dbf") returned 4 [0046.003] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.003] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.003] lstrlenW (lpString=".1cd") returned 4 [0046.003] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.003] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.003] lstrlenW (lpString=".jpg") returned 4 [0046.003] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.003] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.003] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.003] lstrlenW (lpString=".doc") returned 4 [0046.003] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.003] lstrlenW (lpString=".docx") returned 5 [0046.003] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0046.003] lstrlenW (lpString=".pdf") returned 4 [0046.003] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.003] lstrlenW (lpString=".xls") returned 4 [0046.003] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.004] lstrlenW (lpString=".xlsx") returned 5 [0046.004] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0046.004] lstrlenW (lpString=".ppt") returned 4 [0046.004] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.004] lstrlenW (lpString=".zip") returned 4 [0046.004] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.004] lstrlenW (lpString=".rar") returned 4 [0046.004] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.004] lstrlenW (lpString=".bz2") returned 4 [0046.004] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.004] lstrlenW (lpString=".7z") returned 3 [0046.004] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.004] lstrlenW (lpString=".dbf") returned 4 [0046.004] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.004] lstrlenW (lpString=".1cd") returned 4 [0046.004] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0046.004] lstrlenW (lpString=".jpg") returned 4 [0046.004] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.004] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0046.004] lstrlenW (lpString="Proofing.msi") returned 12 [0046.005] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0046.005] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=868864) returned 1 [0046.005] CloseHandle (hObject=0x1c4) returned 1 [0046.005] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 0x2020 [0046.005] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0046.005] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0046.005] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.006] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.006] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0046.006] GetLastError () returned 0x0 [0046.006] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0046.369] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0046.390] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.391] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.391] SetEndOfFile (hFile=0x1a0) returned 1 [0046.391] CloseHandle (hObject=0x1a0) returned 1 [0046.735] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.735] SetEndOfFile (hFile=0x1c4) returned 1 [0046.896] CloseHandle (hObject=0x1c4) returned 1 [0046.897] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0046.897] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 1 [0046.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.897] lstrlenW (lpString=".doc") returned 4 [0046.897] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.897] lstrlenW (lpString=".docx") returned 5 [0046.897] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0046.897] lstrlenW (lpString=".pdf") returned 4 [0046.897] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.897] lstrlenW (lpString=".xls") returned 4 [0046.897] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.897] lstrlenW (lpString=".xlsx") returned 5 [0046.897] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0046.897] lstrlenW (lpString=".ppt") returned 4 [0046.897] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.897] lstrlenW (lpString=".zip") returned 4 [0046.897] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.897] lstrlenW (lpString=".rar") returned 4 [0046.898] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.898] lstrlenW (lpString=".bz2") returned 4 [0046.898] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.898] lstrlenW (lpString=".7z") returned 3 [0046.898] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.898] lstrlenW (lpString=".dbf") returned 4 [0046.898] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.898] lstrlenW (lpString=".1cd") returned 4 [0046.898] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.898] lstrlenW (lpString=".jpg") returned 4 [0046.898] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.898] lstrlenW (lpString=".doc") returned 4 [0046.898] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.898] lstrlenW (lpString=".docx") returned 5 [0046.898] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0046.898] lstrlenW (lpString=".pdf") returned 4 [0046.898] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.898] lstrlenW (lpString=".xls") returned 4 [0046.898] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.898] lstrlenW (lpString=".xlsx") returned 5 [0046.898] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0046.898] lstrlenW (lpString=".ppt") returned 4 [0046.898] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.898] lstrlenW (lpString=".zip") returned 4 [0046.898] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.898] lstrlenW (lpString=".rar") returned 4 [0046.898] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.899] lstrlenW (lpString=".bz2") returned 4 [0046.899] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.899] lstrlenW (lpString=".7z") returned 3 [0046.899] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.899] lstrlenW (lpString=".dbf") returned 4 [0046.899] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.899] lstrlenW (lpString=".1cd") returned 4 [0046.899] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0046.899] lstrlenW (lpString=".jpg") returned 4 [0046.899] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.899] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0046.899] lstrlenW (lpString="Office32MUI.msi") returned 15 [0046.899] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0046.899] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=873984) returned 1 [0046.899] CloseHandle (hObject=0x1c4) returned 1 [0046.900] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 0x2020 [0046.900] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0046.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0046.900] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.900] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0046.901] GetLastError () returned 0x0 [0046.901] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xd5600, lpOverlapped=0x0) returned 1 [0046.972] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xd5610, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xd5610, lpOverlapped=0x0) returned 1 [0047.381] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.381] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0047.381] SetEndOfFile (hFile=0x208) returned 1 [0047.381] CloseHandle (hObject=0x208) returned 1 [0047.523] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.523] SetEndOfFile (hFile=0x1c4) returned 1 [0047.531] CloseHandle (hObject=0x1c4) returned 1 [0047.531] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0047.532] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 1 [0047.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.532] lstrlenW (lpString=".doc") returned 4 [0047.532] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.532] lstrlenW (lpString=".docx") returned 5 [0047.532] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.532] lstrlenW (lpString=".pdf") returned 4 [0047.532] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.532] lstrlenW (lpString=".xls") returned 4 [0047.532] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.532] lstrlenW (lpString=".xlsx") returned 5 [0047.532] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.532] lstrlenW (lpString=".ppt") returned 4 [0047.532] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.532] lstrlenW (lpString=".zip") returned 4 [0047.532] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.533] lstrlenW (lpString=".rar") returned 4 [0047.533] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.533] lstrlenW (lpString=".bz2") returned 4 [0047.533] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.533] lstrlenW (lpString=".7z") returned 3 [0047.533] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.533] lstrlenW (lpString=".dbf") returned 4 [0047.533] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.533] lstrlenW (lpString=".1cd") returned 4 [0047.533] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.533] lstrlenW (lpString=".jpg") returned 4 [0047.533] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.533] lstrlenW (lpString=".doc") returned 4 [0047.533] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.533] lstrlenW (lpString=".docx") returned 5 [0047.533] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.533] lstrlenW (lpString=".pdf") returned 4 [0047.533] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.533] lstrlenW (lpString=".xls") returned 4 [0047.533] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.533] lstrlenW (lpString=".xlsx") returned 5 [0047.533] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.533] lstrlenW (lpString=".ppt") returned 4 [0047.533] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.533] lstrlenW (lpString=".zip") returned 4 [0047.534] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.534] lstrlenW (lpString=".rar") returned 4 [0047.534] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.534] lstrlenW (lpString=".bz2") returned 4 [0047.534] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.534] lstrlenW (lpString=".7z") returned 3 [0047.534] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.534] lstrlenW (lpString=".dbf") returned 4 [0047.534] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.534] lstrlenW (lpString=".1cd") returned 4 [0047.534] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0047.534] lstrlenW (lpString=".jpg") returned 4 [0047.534] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.534] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0047.534] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0047.534] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0047.535] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=2928955) returned 1 [0047.535] CloseHandle (hObject=0x1c4) returned 1 [0047.535] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0047.535] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.535] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0047.536] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0047.536] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.536] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.536] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b80058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.539] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.539] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.550] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.550] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.550] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.566] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.566] WriteFile (in: hFile=0x1c4, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x327fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0047.835] SetEndOfFile (hFile=0x1c4) returned 1 [0047.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f660d0 [0047.843] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.843] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.845] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.845] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.850] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.850] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.852] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f660d0 | out: hHeap=0x500000) returned 1 [0047.853] CloseHandle (hObject=0x1c4) returned 1 [0047.853] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0047.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.853] lstrlenW (lpString=".doc") returned 4 [0047.853] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.853] lstrlenW (lpString=".docx") returned 5 [0047.853] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.853] lstrlenW (lpString=".pdf") returned 4 [0047.853] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.853] lstrlenW (lpString=".xls") returned 4 [0047.853] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.853] lstrlenW (lpString=".xlsx") returned 5 [0047.853] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.853] lstrlenW (lpString=".ppt") returned 4 [0047.853] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.853] lstrlenW (lpString=".zip") returned 4 [0047.853] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.853] lstrlenW (lpString=".rar") returned 4 [0047.853] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString=".bz2") returned 4 [0047.854] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.854] lstrlenW (lpString=".7z") returned 3 [0047.854] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.854] lstrlenW (lpString=".dbf") returned 4 [0047.854] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.854] lstrlenW (lpString=".1cd") returned 4 [0047.854] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.854] lstrlenW (lpString=".jpg") returned 4 [0047.854] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.854] lstrlenW (lpString=".doc") returned 4 [0047.854] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString=".docx") returned 5 [0047.854] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.854] lstrlenW (lpString=".pdf") returned 4 [0047.854] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString=".xls") returned 4 [0047.854] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString=".xlsx") returned 5 [0047.854] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.854] lstrlenW (lpString=".ppt") returned 4 [0047.854] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.854] lstrlenW (lpString=".zip") returned 4 [0047.854] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString=".rar") returned 4 [0047.854] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.854] lstrlenW (lpString=".bz2") returned 4 [0047.854] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.854] lstrlenW (lpString=".7z") returned 3 [0047.854] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.855] lstrlenW (lpString=".dbf") returned 4 [0047.855] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.855] lstrlenW (lpString=".1cd") returned 4 [0047.855] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0047.855] lstrlenW (lpString=".jpg") returned 4 [0047.855] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.855] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0047.855] lstrlenW (lpString="VisioLR.cab") returned 11 [0047.855] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0047.856] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=50823389) returned 1 [0047.856] CloseHandle (hObject=0x1c4) returned 1 [0047.856] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0047.856] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.856] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0047.857] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0047.857] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.857] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.857] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b80058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.787] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.787] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.905] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.905] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.905] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.982] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.982] WriteFile (in: hFile=0x1c4, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x327fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0049.000] SetEndOfFile (hFile=0x1c4) returned 1 [0049.000] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f960e8 [0049.000] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.000] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f960e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960e8*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.001] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.001] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f960e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960e8*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.002] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.002] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f960e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960e8*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.004] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f960e8 | out: hHeap=0x500000) returned 1 [0049.004] CloseHandle (hObject=0x1c4) returned 1 [0049.004] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0049.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.005] lstrlenW (lpString=".doc") returned 4 [0049.005] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.005] lstrlenW (lpString=".docx") returned 5 [0049.005] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0049.005] lstrlenW (lpString=".pdf") returned 4 [0049.005] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.005] lstrlenW (lpString=".xls") returned 4 [0049.005] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.005] lstrlenW (lpString=".xlsx") returned 5 [0049.005] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0049.005] lstrlenW (lpString=".ppt") returned 4 [0049.005] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.005] lstrlenW (lpString=".zip") returned 4 [0049.005] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.005] lstrlenW (lpString=".rar") returned 4 [0049.005] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.005] lstrlenW (lpString=".bz2") returned 4 [0049.005] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.005] lstrlenW (lpString=".7z") returned 3 [0049.005] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.005] lstrlenW (lpString=".dbf") returned 4 [0049.005] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.005] lstrlenW (lpString=".1cd") returned 4 [0049.005] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.005] lstrlenW (lpString=".jpg") returned 4 [0049.005] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.006] lstrlenW (lpString=".doc") returned 4 [0049.006] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.006] lstrlenW (lpString=".docx") returned 5 [0049.006] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0049.006] lstrlenW (lpString=".pdf") returned 4 [0049.006] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.006] lstrlenW (lpString=".xls") returned 4 [0049.006] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.006] lstrlenW (lpString=".xlsx") returned 5 [0049.006] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0049.006] lstrlenW (lpString=".ppt") returned 4 [0049.006] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.006] lstrlenW (lpString=".zip") returned 4 [0049.006] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.006] lstrlenW (lpString=".rar") returned 4 [0049.006] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.006] lstrlenW (lpString=".bz2") returned 4 [0049.006] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.006] lstrlenW (lpString=".7z") returned 3 [0049.006] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.042] lstrlenW (lpString=".dbf") returned 4 [0049.042] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.042] lstrlenW (lpString=".1cd") returned 4 [0049.042] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0049.042] lstrlenW (lpString=".jpg") returned 4 [0049.042] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.043] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0049.043] lstrlenW (lpString="ProjLR.cab") returned 10 [0049.043] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.194] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=8265165) returned 1 [0049.194] CloseHandle (hObject=0x1c4) returned 1 [0049.194] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0049.194] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.194] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0049.195] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.195] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.195] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.195] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b80058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.205] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.205] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.220] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.220] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.220] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.241] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.242] WriteFile (in: hFile=0x1c4, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x327fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0049.418] SetEndOfFile (hFile=0x1c4) returned 1 [0049.419] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fa60d8 [0049.495] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.496] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.500] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.500] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.503] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.503] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.506] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60d8 | out: hHeap=0x500000) returned 1 [0049.507] CloseHandle (hObject=0x1c4) returned 1 [0049.507] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0049.507] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.507] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.507] lstrlenW (lpString=".doc") returned 4 [0049.507] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.507] lstrlenW (lpString=".docx") returned 5 [0049.507] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0049.507] lstrlenW (lpString=".pdf") returned 4 [0049.507] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.508] lstrlenW (lpString=".xls") returned 4 [0049.508] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.508] lstrlenW (lpString=".xlsx") returned 5 [0049.508] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0049.508] lstrlenW (lpString=".ppt") returned 4 [0049.508] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.508] lstrlenW (lpString=".zip") returned 4 [0049.508] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.508] lstrlenW (lpString=".rar") returned 4 [0049.508] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.508] lstrlenW (lpString=".bz2") returned 4 [0049.508] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.508] lstrlenW (lpString=".7z") returned 3 [0049.508] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.508] lstrlenW (lpString=".dbf") returned 4 [0049.508] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.508] lstrlenW (lpString=".1cd") returned 4 [0049.508] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.508] lstrlenW (lpString=".jpg") returned 4 [0049.508] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.509] lstrlenW (lpString=".doc") returned 4 [0049.509] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.509] lstrlenW (lpString=".docx") returned 5 [0049.509] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0049.509] lstrlenW (lpString=".pdf") returned 4 [0049.509] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.509] lstrlenW (lpString=".xls") returned 4 [0049.509] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.509] lstrlenW (lpString=".xlsx") returned 5 [0049.509] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0049.509] lstrlenW (lpString=".ppt") returned 4 [0049.509] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.509] lstrlenW (lpString=".zip") returned 4 [0049.509] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.509] lstrlenW (lpString=".rar") returned 4 [0049.509] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.509] lstrlenW (lpString=".bz2") returned 4 [0049.509] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.509] lstrlenW (lpString=".7z") returned 3 [0049.509] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.509] lstrlenW (lpString=".dbf") returned 4 [0049.510] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.510] lstrlenW (lpString=".1cd") returned 4 [0049.510] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0049.510] lstrlenW (lpString=".jpg") returned 4 [0049.510] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.510] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0049.510] lstrlenW (lpString="dwintl20.dll") returned 12 [0049.510] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.511] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=107912) returned 1 [0049.511] CloseHandle (hObject=0x1c4) returned 1 [0049.511] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0x2020 [0049.511] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.511] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.511] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.511] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.511] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.542] GetLastError () returned 0x0 [0049.542] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x1a588, lpOverlapped=0x0) returned 1 [0049.555] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x1a590, lpOverlapped=0x0) returned 1 [0049.557] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.557] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.557] SetEndOfFile (hFile=0x208) returned 1 [0049.557] CloseHandle (hObject=0x208) returned 1 [0049.558] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.558] SetEndOfFile (hFile=0x1c4) returned 1 [0049.559] CloseHandle (hObject=0x1c4) returned 1 [0049.559] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0049.559] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 1 [0049.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.560] lstrlenW (lpString=".doc") returned 4 [0049.560] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.560] lstrlenW (lpString=".docx") returned 5 [0049.560] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0049.560] lstrlenW (lpString=".pdf") returned 4 [0049.560] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.560] lstrlenW (lpString=".xls") returned 4 [0049.560] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.560] lstrlenW (lpString=".xlsx") returned 5 [0049.560] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0049.560] lstrlenW (lpString=".ppt") returned 4 [0049.560] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.560] lstrlenW (lpString=".zip") returned 4 [0049.560] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.560] lstrlenW (lpString=".rar") returned 4 [0049.560] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.560] lstrlenW (lpString=".bz2") returned 4 [0049.560] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.560] lstrlenW (lpString=".7z") returned 3 [0049.560] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.560] lstrlenW (lpString=".dbf") returned 4 [0049.560] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.560] lstrlenW (lpString=".1cd") returned 4 [0049.560] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.560] lstrlenW (lpString=".jpg") returned 4 [0049.560] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.560] lstrlenW (lpString=".doc") returned 4 [0049.561] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.561] lstrlenW (lpString=".docx") returned 5 [0049.561] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0049.561] lstrlenW (lpString=".pdf") returned 4 [0049.561] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.561] lstrlenW (lpString=".xls") returned 4 [0049.561] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.561] lstrlenW (lpString=".xlsx") returned 5 [0049.561] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0049.561] lstrlenW (lpString=".ppt") returned 4 [0049.561] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.561] lstrlenW (lpString=".zip") returned 4 [0049.561] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.561] lstrlenW (lpString=".rar") returned 4 [0049.561] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.561] lstrlenW (lpString=".bz2") returned 4 [0049.561] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.561] lstrlenW (lpString=".7z") returned 3 [0049.561] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.561] lstrlenW (lpString=".dbf") returned 4 [0049.561] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.561] lstrlenW (lpString=".1cd") returned 4 [0049.561] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0049.561] lstrlenW (lpString=".jpg") returned 4 [0049.561] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.561] lstrcmpiW (lpString1=".EXE", lpString2=".NcOv") returned -1 [0049.561] lstrlenW (lpString="DW20.EXE") returned 8 [0049.561] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.562] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=838536) returned 1 [0049.562] CloseHandle (hObject=0x1c4) returned 1 [0049.563] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 0x2020 [0049.563] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.563] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.563] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.563] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.563] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.563] GetLastError () returned 0x0 [0049.563] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xccb88, lpOverlapped=0x0) returned 1 [0049.618] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xccb90, lpOverlapped=0x0) returned 1 [0049.632] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.632] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0049.632] SetEndOfFile (hFile=0x208) returned 1 [0049.633] CloseHandle (hObject=0x208) returned 1 [0049.633] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.633] SetEndOfFile (hFile=0x1c4) returned 1 [0049.640] CloseHandle (hObject=0x1c4) returned 1 [0049.640] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0049.640] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 1 [0049.641] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.641] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.641] lstrlenW (lpString=".doc") returned 4 [0049.641] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0049.641] lstrlenW (lpString=".docx") returned 5 [0049.641] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0049.641] lstrlenW (lpString=".pdf") returned 4 [0049.641] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0049.641] lstrlenW (lpString=".xls") returned 4 [0049.641] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0049.641] lstrlenW (lpString=".xlsx") returned 5 [0049.641] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0049.641] lstrlenW (lpString=".ppt") returned 4 [0049.641] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0049.641] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.641] lstrlenW (lpString=".zip") returned 4 [0049.641] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0049.641] lstrlenW (lpString=".rar") returned 4 [0049.641] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0049.641] lstrlenW (lpString=".bz2") returned 4 [0049.641] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0049.641] lstrlenW (lpString=".7z") returned 3 [0049.641] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0049.641] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.641] lstrlenW (lpString=".dbf") returned 4 [0049.641] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0049.641] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.641] lstrlenW (lpString=".1cd") returned 4 [0049.641] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0049.641] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.641] lstrlenW (lpString=".jpg") returned 4 [0049.641] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0049.642] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.642] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.642] lstrlenW (lpString=".doc") returned 4 [0049.642] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0049.642] lstrlenW (lpString=".docx") returned 5 [0049.642] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0049.642] lstrlenW (lpString=".pdf") returned 4 [0049.642] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0049.642] lstrlenW (lpString=".xls") returned 4 [0049.642] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0049.642] lstrlenW (lpString=".xlsx") returned 5 [0049.642] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0049.642] lstrlenW (lpString=".ppt") returned 4 [0049.642] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0049.642] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.642] lstrlenW (lpString=".zip") returned 4 [0049.642] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0049.642] lstrlenW (lpString=".rar") returned 4 [0049.642] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0049.642] lstrlenW (lpString=".bz2") returned 4 [0049.642] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0049.642] lstrlenW (lpString=".7z") returned 3 [0049.642] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0049.642] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.642] lstrlenW (lpString=".dbf") returned 4 [0049.642] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0049.642] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.642] lstrlenW (lpString=".1cd") returned 4 [0049.642] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0049.642] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0049.642] lstrlenW (lpString=".jpg") returned 4 [0049.642] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0049.643] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0049.643] lstrlenW (lpString="dwdcw20.dll") returned 11 [0049.643] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.643] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=526176) returned 1 [0049.643] CloseHandle (hObject=0x1c4) returned 1 [0049.643] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0x2020 [0049.643] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.643] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.643] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.643] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.643] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.644] GetLastError () returned 0x0 [0049.644] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x80760, lpOverlapped=0x0) returned 1 [0049.679] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x80770, lpOverlapped=0x0) returned 1 [0049.688] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.688] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.688] SetEndOfFile (hFile=0x208) returned 1 [0049.688] CloseHandle (hObject=0x208) returned 1 [0049.689] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.689] SetEndOfFile (hFile=0x1c4) returned 1 [0049.694] CloseHandle (hObject=0x1c4) returned 1 [0049.694] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0049.694] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 1 [0049.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.695] lstrlenW (lpString=".doc") returned 4 [0049.695] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.695] lstrlenW (lpString=".docx") returned 5 [0049.695] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0049.695] lstrlenW (lpString=".pdf") returned 4 [0049.695] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.695] lstrlenW (lpString=".xls") returned 4 [0049.695] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.695] lstrlenW (lpString=".xlsx") returned 5 [0049.695] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0049.695] lstrlenW (lpString=".ppt") returned 4 [0049.695] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.695] lstrlenW (lpString=".zip") returned 4 [0049.695] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.695] lstrlenW (lpString=".rar") returned 4 [0049.695] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.695] lstrlenW (lpString=".bz2") returned 4 [0049.695] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.695] lstrlenW (lpString=".7z") returned 3 [0049.695] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.695] lstrlenW (lpString=".dbf") returned 4 [0049.695] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.695] lstrlenW (lpString=".1cd") returned 4 [0049.695] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.696] lstrlenW (lpString=".jpg") returned 4 [0049.696] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.696] lstrlenW (lpString=".doc") returned 4 [0049.696] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.696] lstrlenW (lpString=".docx") returned 5 [0049.696] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0049.696] lstrlenW (lpString=".pdf") returned 4 [0049.696] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.696] lstrlenW (lpString=".xls") returned 4 [0049.696] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.696] lstrlenW (lpString=".xlsx") returned 5 [0049.696] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0049.696] lstrlenW (lpString=".ppt") returned 4 [0049.696] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.696] lstrlenW (lpString=".zip") returned 4 [0049.696] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.696] lstrlenW (lpString=".rar") returned 4 [0049.696] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.696] lstrlenW (lpString=".bz2") returned 4 [0049.696] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.696] lstrlenW (lpString=".7z") returned 3 [0049.696] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.696] lstrlenW (lpString=".dbf") returned 4 [0049.696] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.696] lstrlenW (lpString=".1cd") returned 4 [0049.696] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0049.696] lstrlenW (lpString=".jpg") returned 4 [0049.696] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.697] lstrcmpiW (lpString1=".exe", lpString2=".NcOv") returned -1 [0049.697] lstrlenW (lpString="dwtrig20.exe") returned 12 [0049.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.697] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=519584) returned 1 [0049.697] CloseHandle (hObject=0x1c4) returned 1 [0049.697] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0x2020 [0049.697] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.697] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.697] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.698] GetLastError () returned 0x0 [0049.698] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x7eda0, lpOverlapped=0x0) returned 1 [0050.610] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x7edb0, lpOverlapped=0x0) returned 1 [0050.620] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.621] WriteFile (in: hFile=0x208, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.621] SetEndOfFile (hFile=0x208) returned 1 [0050.965] CloseHandle (hObject=0x208) returned 1 [0050.966] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.966] SetEndOfFile (hFile=0x1c4) returned 1 [0050.991] CloseHandle (hObject=0x1c4) returned 1 [0050.991] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0050.991] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 1 [0051.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.274] lstrlenW (lpString=".doc") returned 4 [0051.274] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.274] lstrlenW (lpString=".docx") returned 5 [0051.274] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0051.274] lstrlenW (lpString=".pdf") returned 4 [0051.274] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.274] lstrlenW (lpString=".xls") returned 4 [0051.274] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.274] lstrlenW (lpString=".xlsx") returned 5 [0051.274] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0051.274] lstrlenW (lpString=".ppt") returned 4 [0051.274] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.274] lstrlenW (lpString=".zip") returned 4 [0051.274] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.274] lstrlenW (lpString=".rar") returned 4 [0051.274] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.274] lstrlenW (lpString=".bz2") returned 4 [0051.274] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.274] lstrlenW (lpString=".7z") returned 3 [0051.274] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.274] lstrlenW (lpString=".dbf") returned 4 [0051.274] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.274] lstrlenW (lpString=".1cd") returned 4 [0051.275] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.275] lstrlenW (lpString=".jpg") returned 4 [0051.275] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.275] lstrlenW (lpString=".doc") returned 4 [0051.275] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.275] lstrlenW (lpString=".docx") returned 5 [0051.275] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0051.275] lstrlenW (lpString=".pdf") returned 4 [0051.275] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.275] lstrlenW (lpString=".xls") returned 4 [0051.275] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.275] lstrlenW (lpString=".xlsx") returned 5 [0051.275] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0051.275] lstrlenW (lpString=".ppt") returned 4 [0051.275] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.275] lstrlenW (lpString=".zip") returned 4 [0051.275] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.275] lstrlenW (lpString=".rar") returned 4 [0051.275] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.275] lstrlenW (lpString=".bz2") returned 4 [0051.275] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.275] lstrlenW (lpString=".7z") returned 3 [0051.276] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.276] lstrlenW (lpString=".dbf") returned 4 [0051.276] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.276] lstrlenW (lpString=".1cd") returned 4 [0051.276] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0051.276] lstrlenW (lpString=".jpg") returned 4 [0051.276] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.276] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0051.276] lstrlenW (lpString="OfficeMUISet.msi") returned 16 [0051.276] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0051.277] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=868864) returned 1 [0051.277] CloseHandle (hObject=0x19c) returned 1 [0051.277] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 0x2020 [0051.277] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.277] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0051.277] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.277] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.277] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0051.278] GetLastError () returned 0x0 [0051.278] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0051.312] WriteFile (in: hFile=0x218, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0051.492] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.492] WriteFile (in: hFile=0x218, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0051.492] SetEndOfFile (hFile=0x218) returned 1 [0051.493] CloseHandle (hObject=0x218) returned 1 [0051.493] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.493] SetEndOfFile (hFile=0x19c) returned 1 [0051.503] CloseHandle (hObject=0x19c) returned 1 [0051.504] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0051.504] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 1 [0051.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.504] lstrlenW (lpString=".doc") returned 4 [0051.504] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.504] lstrlenW (lpString=".docx") returned 5 [0051.505] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0051.505] lstrlenW (lpString=".pdf") returned 4 [0051.505] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.505] lstrlenW (lpString=".xls") returned 4 [0051.505] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.505] lstrlenW (lpString=".xlsx") returned 5 [0051.505] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0051.505] lstrlenW (lpString=".ppt") returned 4 [0051.505] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.505] lstrlenW (lpString=".zip") returned 4 [0051.505] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.505] lstrlenW (lpString=".rar") returned 4 [0051.505] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.505] lstrlenW (lpString=".bz2") returned 4 [0051.505] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.505] lstrlenW (lpString=".7z") returned 3 [0051.505] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.505] lstrlenW (lpString=".dbf") returned 4 [0051.505] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.505] lstrlenW (lpString=".1cd") returned 4 [0051.505] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.505] lstrlenW (lpString=".jpg") returned 4 [0051.505] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.506] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.506] lstrlenW (lpString=".doc") returned 4 [0051.506] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.506] lstrlenW (lpString=".docx") returned 5 [0051.506] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0051.506] lstrlenW (lpString=".pdf") returned 4 [0051.506] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.506] lstrlenW (lpString=".xls") returned 4 [0051.506] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.506] lstrlenW (lpString=".xlsx") returned 5 [0051.506] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0051.506] lstrlenW (lpString=".ppt") returned 4 [0051.506] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.506] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.506] lstrlenW (lpString=".zip") returned 4 [0051.506] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.506] lstrlenW (lpString=".rar") returned 4 [0051.506] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.506] lstrlenW (lpString=".bz2") returned 4 [0051.506] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.506] lstrlenW (lpString=".7z") returned 3 [0051.506] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.506] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.506] lstrlenW (lpString=".dbf") returned 4 [0051.506] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.506] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.506] lstrlenW (lpString=".1cd") returned 4 [0051.506] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.507] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0051.507] lstrlenW (lpString=".jpg") returned 4 [0051.507] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.507] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0051.507] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0051.507] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0051.507] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=868864) returned 1 [0051.507] CloseHandle (hObject=0x19c) returned 1 [0051.507] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0x2020 [0051.508] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.508] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0051.508] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.508] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.508] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0051.509] GetLastError () returned 0x0 [0051.509] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0051.739] WriteFile (in: hFile=0x218, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0052.037] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.037] WriteFile (in: hFile=0x218, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0052.037] SetEndOfFile (hFile=0x218) returned 1 [0052.037] CloseHandle (hObject=0x218) returned 1 [0052.037] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.038] SetEndOfFile (hFile=0x19c) returned 1 [0052.046] CloseHandle (hObject=0x19c) returned 1 [0052.046] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.046] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 1 [0052.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.046] lstrlenW (lpString=".doc") returned 4 [0052.046] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.046] lstrlenW (lpString=".docx") returned 5 [0052.046] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0052.046] lstrlenW (lpString=".pdf") returned 4 [0052.046] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.046] lstrlenW (lpString=".xls") returned 4 [0052.046] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.046] lstrlenW (lpString=".xlsx") returned 5 [0052.047] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0052.047] lstrlenW (lpString=".ppt") returned 4 [0052.047] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.047] lstrlenW (lpString=".zip") returned 4 [0052.047] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.047] lstrlenW (lpString=".rar") returned 4 [0052.047] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.047] lstrlenW (lpString=".bz2") returned 4 [0052.047] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.047] lstrlenW (lpString=".7z") returned 3 [0052.047] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.047] lstrlenW (lpString=".dbf") returned 4 [0052.047] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.047] lstrlenW (lpString=".1cd") returned 4 [0052.047] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.047] lstrlenW (lpString=".jpg") returned 4 [0052.047] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.047] lstrlenW (lpString=".doc") returned 4 [0052.047] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.047] lstrlenW (lpString=".docx") returned 5 [0052.047] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0052.047] lstrlenW (lpString=".pdf") returned 4 [0052.047] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.047] lstrlenW (lpString=".xls") returned 4 [0052.047] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.047] lstrlenW (lpString=".xlsx") returned 5 [0052.047] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0052.047] lstrlenW (lpString=".ppt") returned 4 [0052.047] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.048] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.048] lstrlenW (lpString=".zip") returned 4 [0052.048] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.048] lstrlenW (lpString=".rar") returned 4 [0052.048] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.048] lstrlenW (lpString=".bz2") returned 4 [0052.048] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.048] lstrlenW (lpString=".7z") returned 3 [0052.048] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.048] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.048] lstrlenW (lpString=".dbf") returned 4 [0052.048] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.048] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.048] lstrlenW (lpString=".1cd") returned 4 [0052.048] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.048] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0052.048] lstrlenW (lpString=".jpg") returned 4 [0052.048] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.048] lstrcmpiW (lpString1=".exe", lpString2=".NcOv") returned -1 [0052.048] lstrlenW (lpString="ose.exe") returned 7 [0052.048] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0052.049] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=174440) returned 1 [0052.049] CloseHandle (hObject=0x19c) returned 1 [0052.050] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0052.050] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.050] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0052.050] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.050] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.050] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0052.051] GetLastError () returned 0x0 [0052.051] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0052.062] WriteFile (in: hFile=0x218, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0052.067] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.068] WriteFile (in: hFile=0x218, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0052.068] SetEndOfFile (hFile=0x218) returned 1 [0052.068] CloseHandle (hObject=0x218) returned 1 [0052.068] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.068] SetEndOfFile (hFile=0x19c) returned 1 [0052.070] CloseHandle (hObject=0x19c) returned 1 [0052.070] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.070] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0052.070] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.070] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.070] lstrlenW (lpString=".doc") returned 4 [0052.070] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.070] lstrlenW (lpString=".docx") returned 5 [0052.070] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.071] lstrlenW (lpString=".pdf") returned 4 [0052.071] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.071] lstrlenW (lpString=".xls") returned 4 [0052.071] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.071] lstrlenW (lpString=".xlsx") returned 5 [0052.071] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.071] lstrlenW (lpString=".ppt") returned 4 [0052.071] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.071] lstrlenW (lpString=".zip") returned 4 [0052.071] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.071] lstrlenW (lpString=".rar") returned 4 [0052.071] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.071] lstrlenW (lpString=".bz2") returned 4 [0052.071] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.071] lstrlenW (lpString=".7z") returned 3 [0052.071] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.071] lstrlenW (lpString=".dbf") returned 4 [0052.071] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.071] lstrlenW (lpString=".1cd") returned 4 [0052.071] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.071] lstrlenW (lpString=".jpg") returned 4 [0052.071] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.071] lstrlenW (lpString=".doc") returned 4 [0052.071] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.071] lstrlenW (lpString=".docx") returned 5 [0052.071] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.071] lstrlenW (lpString=".pdf") returned 4 [0052.071] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.071] lstrlenW (lpString=".xls") returned 4 [0052.072] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.072] lstrlenW (lpString=".xlsx") returned 5 [0052.072] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.072] lstrlenW (lpString=".ppt") returned 4 [0052.072] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.072] lstrlenW (lpString=".zip") returned 4 [0052.072] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.072] lstrlenW (lpString=".rar") returned 4 [0052.072] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.072] lstrlenW (lpString=".bz2") returned 4 [0052.072] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.072] lstrlenW (lpString=".7z") returned 3 [0052.072] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.072] lstrlenW (lpString=".dbf") returned 4 [0052.072] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.072] lstrlenW (lpString=".1cd") returned 4 [0052.072] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.072] lstrlenW (lpString=".jpg") returned 4 [0052.072] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.072] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0052.072] lstrlenW (lpString="osetup.dll") returned 10 [0052.072] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0052.073] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=7378792) returned 1 [0052.073] CloseHandle (hObject=0x19c) returned 1 [0052.073] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0052.073] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.073] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0052.205] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0052.205] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.205] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.205] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b80058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.240] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.240] ReadFile (in: hFile=0x19c, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.253] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.253] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.253] ReadFile (in: hFile=0x19c, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.279] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.279] WriteFile (in: hFile=0x19c, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x327fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0052.471] SetEndOfFile (hFile=0x19c) returned 1 [0052.471] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fa60e0 [0052.486] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.486] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.488] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.488] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.491] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.491] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.493] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60e0 | out: hHeap=0x500000) returned 1 [0052.493] CloseHandle (hObject=0x19c) returned 1 [0052.493] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.493] lstrlenW (lpString=".doc") returned 4 [0052.494] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.494] lstrlenW (lpString=".docx") returned 5 [0052.494] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0052.494] lstrlenW (lpString=".pdf") returned 4 [0052.494] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.494] lstrlenW (lpString=".xls") returned 4 [0052.494] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.494] lstrlenW (lpString=".xlsx") returned 5 [0052.494] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0052.494] lstrlenW (lpString=".ppt") returned 4 [0052.494] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.494] lstrlenW (lpString=".zip") returned 4 [0052.494] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.494] lstrlenW (lpString=".rar") returned 4 [0052.494] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.494] lstrlenW (lpString=".bz2") returned 4 [0052.494] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.494] lstrlenW (lpString=".7z") returned 3 [0052.494] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.494] lstrlenW (lpString=".dbf") returned 4 [0052.494] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.494] lstrlenW (lpString=".1cd") returned 4 [0052.494] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.494] lstrlenW (lpString=".jpg") returned 4 [0052.494] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.495] lstrlenW (lpString=".doc") returned 4 [0052.495] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.495] lstrlenW (lpString=".docx") returned 5 [0052.495] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0052.495] lstrlenW (lpString=".pdf") returned 4 [0052.495] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.495] lstrlenW (lpString=".xls") returned 4 [0052.495] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.495] lstrlenW (lpString=".xlsx") returned 5 [0052.495] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0052.495] lstrlenW (lpString=".ppt") returned 4 [0052.495] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.495] lstrlenW (lpString=".zip") returned 4 [0052.495] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.495] lstrlenW (lpString=".rar") returned 4 [0052.495] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.495] lstrlenW (lpString=".bz2") returned 4 [0052.495] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.495] lstrlenW (lpString=".7z") returned 3 [0052.495] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.495] lstrlenW (lpString=".dbf") returned 4 [0052.495] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.496] lstrlenW (lpString=".1cd") returned 4 [0052.496] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.496] lstrlenW (lpString=".jpg") returned 4 [0052.496] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.496] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0052.496] lstrlenW (lpString="ProPrWW2.cab") returned 12 [0052.496] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0052.497] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=222948913) returned 1 [0052.497] CloseHandle (hObject=0x19c) returned 1 [0052.497] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab")) returned 0x2020 [0052.497] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.497] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0052.498] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0052.498] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.498] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.498] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b80058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.509] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.509] ReadFile (in: hFile=0x19c, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.516] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x327fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.516] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x327fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.516] ReadFile (in: hFile=0x19c, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x327fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x327fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.756] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.756] WriteFile (in: hFile=0x19c, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x327fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0052.775] SetEndOfFile (hFile=0x19c) returned 1 [0052.775] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0052.779] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.779] WriteFile (in: hFile=0x19c, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.780] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.780] WriteFile (in: hFile=0x19c, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.158] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x327fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.158] WriteFile (in: hFile=0x19c, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x327fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x327fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.161] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0053.164] CloseHandle (hObject=0x19c) returned 1 [0053.165] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0053.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.165] lstrlenW (lpString=".doc") returned 4 [0053.165] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.165] lstrlenW (lpString=".docx") returned 5 [0053.165] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0053.165] lstrlenW (lpString=".pdf") returned 4 [0053.165] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.165] lstrlenW (lpString=".xls") returned 4 [0053.166] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString=".xlsx") returned 5 [0053.166] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0053.166] lstrlenW (lpString=".ppt") returned 4 [0053.166] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.166] lstrlenW (lpString=".zip") returned 4 [0053.166] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString=".rar") returned 4 [0053.166] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString=".bz2") returned 4 [0053.166] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.166] lstrlenW (lpString=".7z") returned 3 [0053.166] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.166] lstrlenW (lpString=".dbf") returned 4 [0053.166] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.166] lstrlenW (lpString=".1cd") returned 4 [0053.166] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.166] lstrlenW (lpString=".jpg") returned 4 [0053.166] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.166] lstrlenW (lpString=".doc") returned 4 [0053.166] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString=".docx") returned 5 [0053.166] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0053.166] lstrlenW (lpString=".pdf") returned 4 [0053.166] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString=".xls") returned 4 [0053.166] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.166] lstrlenW (lpString=".xlsx") returned 5 [0053.167] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0053.167] lstrlenW (lpString=".ppt") returned 4 [0053.167] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.167] lstrlenW (lpString=".zip") returned 4 [0053.167] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.167] lstrlenW (lpString=".rar") returned 4 [0053.167] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.167] lstrlenW (lpString=".bz2") returned 4 [0053.167] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.167] lstrlenW (lpString=".7z") returned 3 [0053.167] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.167] lstrlenW (lpString=".dbf") returned 4 [0053.167] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.167] lstrlenW (lpString=".1cd") returned 4 [0053.167] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0053.167] lstrlenW (lpString=".jpg") returned 4 [0053.167] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.167] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0053.167] lstrlenW (lpString="PidGenX.dll") returned 11 [0053.167] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0053.168] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=1463568) returned 1 [0053.168] CloseHandle (hObject=0x19c) returned 1 [0053.168] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0053.168] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0053.168] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.168] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0053.169] GetLastError () returned 0x0 [0053.169] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0053.194] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0053.503] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x65520, lpOverlapped=0x0) returned 1 [0053.521] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0053.796] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.799] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.799] SetEndOfFile (hFile=0x1ec) returned 1 [0053.799] CloseHandle (hObject=0x1ec) returned 1 [0053.800] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.800] SetEndOfFile (hFile=0x19c) returned 1 [0053.805] CloseHandle (hObject=0x19c) returned 1 [0053.805] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0053.805] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0053.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.805] lstrlenW (lpString=".doc") returned 4 [0053.805] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0053.806] lstrlenW (lpString=".docx") returned 5 [0053.806] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0053.806] lstrlenW (lpString=".pdf") returned 4 [0053.806] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0053.806] lstrlenW (lpString=".xls") returned 4 [0053.806] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0053.806] lstrlenW (lpString=".xlsx") returned 5 [0053.806] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0053.806] lstrlenW (lpString=".ppt") returned 4 [0053.806] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0053.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.806] lstrlenW (lpString=".zip") returned 4 [0053.806] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0053.806] lstrlenW (lpString=".rar") returned 4 [0053.806] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0053.806] lstrlenW (lpString=".bz2") returned 4 [0053.806] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0053.806] lstrlenW (lpString=".7z") returned 3 [0053.806] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0053.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.806] lstrlenW (lpString=".dbf") returned 4 [0053.806] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0053.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.806] lstrlenW (lpString=".1cd") returned 4 [0053.806] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0053.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.807] lstrlenW (lpString=".jpg") returned 4 [0053.807] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0053.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.807] lstrlenW (lpString=".doc") returned 4 [0053.807] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0053.807] lstrlenW (lpString=".docx") returned 5 [0053.807] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0053.807] lstrlenW (lpString=".pdf") returned 4 [0053.807] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0053.807] lstrlenW (lpString=".xls") returned 4 [0053.807] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0053.807] lstrlenW (lpString=".xlsx") returned 5 [0053.807] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0053.807] lstrlenW (lpString=".ppt") returned 4 [0053.807] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0053.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.807] lstrlenW (lpString=".zip") returned 4 [0053.807] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0053.807] lstrlenW (lpString=".rar") returned 4 [0053.807] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0053.807] lstrlenW (lpString=".bz2") returned 4 [0053.807] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0053.807] lstrlenW (lpString=".7z") returned 3 [0053.807] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0053.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.808] lstrlenW (lpString=".dbf") returned 4 [0053.808] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0053.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.808] lstrlenW (lpString=".1cd") returned 4 [0053.808] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0053.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.808] lstrlenW (lpString=".jpg") returned 4 [0053.808] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0053.808] lstrcmpiW (lpString1=".exe", lpString2=".NcOv") returned -1 [0053.808] lstrlenW (lpString="setup.exe") returned 9 [0053.808] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0053.809] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=1377656) returned 1 [0053.809] CloseHandle (hObject=0x19c) returned 1 [0053.809] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0053.809] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.809] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0053.809] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.809] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.809] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0053.810] GetLastError () returned 0x0 [0053.810] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0053.841] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0054.891] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x50588, lpOverlapped=0x0) returned 1 [0055.231] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0055.244] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.244] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0055.244] SetEndOfFile (hFile=0x1ec) returned 1 [0055.244] CloseHandle (hObject=0x1ec) returned 1 [0055.245] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.245] SetEndOfFile (hFile=0x19c) returned 1 [0055.249] CloseHandle (hObject=0x19c) returned 1 [0055.249] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0055.250] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0055.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.250] lstrlenW (lpString=".doc") returned 4 [0055.250] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0055.250] lstrlenW (lpString=".docx") returned 5 [0055.250] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0055.250] lstrlenW (lpString=".pdf") returned 4 [0055.250] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0055.250] lstrlenW (lpString=".xls") returned 4 [0055.250] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0055.250] lstrlenW (lpString=".xlsx") returned 5 [0055.250] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0055.250] lstrlenW (lpString=".ppt") returned 4 [0055.250] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0055.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.251] lstrlenW (lpString=".zip") returned 4 [0055.251] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0055.251] lstrlenW (lpString=".rar") returned 4 [0055.251] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0055.251] lstrlenW (lpString=".bz2") returned 4 [0055.251] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0055.251] lstrlenW (lpString=".7z") returned 3 [0055.251] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0055.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.251] lstrlenW (lpString=".dbf") returned 4 [0055.251] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0055.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.251] lstrlenW (lpString=".1cd") returned 4 [0055.251] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0055.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.251] lstrlenW (lpString=".jpg") returned 4 [0055.251] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0055.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.251] lstrlenW (lpString=".doc") returned 4 [0055.251] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0055.251] lstrlenW (lpString=".docx") returned 5 [0055.251] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0055.251] lstrlenW (lpString=".pdf") returned 4 [0055.251] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0055.251] lstrlenW (lpString=".xls") returned 4 [0055.251] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0055.252] lstrlenW (lpString=".xlsx") returned 5 [0055.252] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0055.252] lstrlenW (lpString=".ppt") returned 4 [0055.252] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0055.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.252] lstrlenW (lpString=".zip") returned 4 [0055.252] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0055.252] lstrlenW (lpString=".rar") returned 4 [0055.252] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0055.252] lstrlenW (lpString=".bz2") returned 4 [0055.252] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0055.252] lstrlenW (lpString=".7z") returned 3 [0055.252] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0055.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.252] lstrlenW (lpString=".dbf") returned 4 [0055.252] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0055.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.252] lstrlenW (lpString=".1cd") returned 4 [0055.252] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0055.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0055.252] lstrlenW (lpString=".jpg") returned 4 [0055.252] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0055.252] lstrcmpiW (lpString1=".xrm-ms", lpString2=".NcOv") returned 1 [0055.253] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0055.253] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0055.253] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=715834) returned 1 [0055.253] CloseHandle (hObject=0x19c) returned 1 [0055.253] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0055.253] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.253] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0055.254] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.254] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.254] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0055.254] GetLastError () returned 0x0 [0055.254] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0055.624] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0055.643] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.643] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x104, lpOverlapped=0x0) returned 1 [0055.643] SetEndOfFile (hFile=0x1ec) returned 1 [0055.643] CloseHandle (hObject=0x1ec) returned 1 [0055.643] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.643] SetEndOfFile (hFile=0x19c) returned 1 [0055.651] CloseHandle (hObject=0x19c) returned 1 [0055.651] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0055.911] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0056.439] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.439] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.439] lstrlenW (lpString=".doc") returned 4 [0056.439] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0056.439] lstrlenW (lpString=".docx") returned 5 [0056.439] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0056.439] lstrlenW (lpString=".pdf") returned 4 [0056.439] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0056.439] lstrlenW (lpString=".xls") returned 4 [0056.439] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0056.439] lstrlenW (lpString=".xlsx") returned 5 [0056.439] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0056.439] lstrlenW (lpString=".ppt") returned 4 [0056.439] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0056.439] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.439] lstrlenW (lpString=".zip") returned 4 [0056.439] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0056.439] lstrlenW (lpString=".rar") returned 4 [0056.439] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0056.439] lstrlenW (lpString=".bz2") returned 4 [0056.439] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0056.439] lstrlenW (lpString=".7z") returned 3 [0056.440] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0056.440] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.440] lstrlenW (lpString=".dbf") returned 4 [0056.440] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0056.440] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.440] lstrlenW (lpString=".1cd") returned 4 [0056.440] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0056.440] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.440] lstrlenW (lpString=".jpg") returned 4 [0056.440] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0056.440] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.440] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.440] lstrlenW (lpString=".doc") returned 4 [0056.440] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0056.440] lstrlenW (lpString=".docx") returned 5 [0056.440] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0056.440] lstrlenW (lpString=".pdf") returned 4 [0056.440] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0056.440] lstrlenW (lpString=".xls") returned 4 [0056.440] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0056.440] lstrlenW (lpString=".xlsx") returned 5 [0056.441] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0056.441] lstrlenW (lpString=".ppt") returned 4 [0056.441] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0056.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.441] lstrlenW (lpString=".zip") returned 4 [0056.441] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0056.441] lstrlenW (lpString=".rar") returned 4 [0056.441] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0056.441] lstrlenW (lpString=".bz2") returned 4 [0056.441] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0056.441] lstrlenW (lpString=".7z") returned 3 [0056.441] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0056.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.441] lstrlenW (lpString=".dbf") returned 4 [0056.441] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0056.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.441] lstrlenW (lpString=".1cd") returned 4 [0056.441] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0056.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0056.441] lstrlenW (lpString=".jpg") returned 4 [0056.441] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0056.441] lstrcmpiW (lpString1=".sys", lpString2=".NcOv") returned 1 [0056.442] lstrlenW (lpString="pagefile.sys") returned 12 [0056.442] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.442] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.442] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.442] lstrlenW (lpString=".doc") returned 4 [0056.442] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0056.442] lstrlenW (lpString=".docx") returned 5 [0056.442] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0056.442] lstrlenW (lpString=".pdf") returned 4 [0056.442] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0056.442] lstrlenW (lpString=".xls") returned 4 [0056.442] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0056.442] lstrlenW (lpString=".xlsx") returned 5 [0056.442] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0056.442] lstrlenW (lpString=".ppt") returned 4 [0056.442] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0056.442] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.442] lstrlenW (lpString=".zip") returned 4 [0056.442] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0056.442] lstrlenW (lpString=".rar") returned 4 [0056.442] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0056.443] lstrlenW (lpString=".bz2") returned 4 [0056.443] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0056.443] lstrlenW (lpString=".7z") returned 3 [0056.443] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0056.443] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.443] lstrlenW (lpString=".dbf") returned 4 [0056.443] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0056.443] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.443] lstrlenW (lpString=".1cd") returned 4 [0056.443] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0056.443] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.443] lstrlenW (lpString=".jpg") returned 4 [0056.443] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0056.443] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.443] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.443] lstrlenW (lpString=".doc") returned 4 [0056.443] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0056.443] lstrlenW (lpString=".docx") returned 5 [0056.443] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0056.443] lstrlenW (lpString=".pdf") returned 4 [0056.443] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0056.443] lstrlenW (lpString=".xls") returned 4 [0056.443] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0056.443] lstrlenW (lpString=".xlsx") returned 5 [0056.443] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0056.443] lstrlenW (lpString=".ppt") returned 4 [0056.443] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0056.444] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.444] lstrlenW (lpString=".zip") returned 4 [0056.444] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0056.444] lstrlenW (lpString=".rar") returned 4 [0056.444] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0056.444] lstrlenW (lpString=".bz2") returned 4 [0056.444] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0056.444] lstrlenW (lpString=".7z") returned 3 [0056.444] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0056.444] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.444] lstrlenW (lpString=".dbf") returned 4 [0056.444] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0056.444] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.444] lstrlenW (lpString=".1cd") returned 4 [0056.444] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0056.444] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0056.444] lstrlenW (lpString=".jpg") returned 4 [0056.444] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0056.444] lstrcmpiW (lpString1=".DLL", lpString2=".NcOv") returned -1 [0056.444] lstrlenW (lpString="MSADDNDR.DLL") returned 12 [0056.444] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.544] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=99136) returned 1 [0056.544] CloseHandle (hObject=0x1bc) returned 1 [0056.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 0x20 [0056.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0056.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.544] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.544] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0056.545] GetLastError () returned 0x0 [0056.545] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x18340, lpOverlapped=0x0) returned 1 [0056.550] WriteFile (in: hFile=0x214, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x18350, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x18350, lpOverlapped=0x0) returned 1 [0056.865] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.865] WriteFile (in: hFile=0x214, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.865] SetEndOfFile (hFile=0x214) returned 1 [0056.865] CloseHandle (hObject=0x214) returned 1 [0056.866] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.866] SetEndOfFile (hFile=0x1bc) returned 1 [0056.868] CloseHandle (hObject=0x1bc) returned 1 [0056.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0056.868] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 1 [0056.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.868] lstrlenW (lpString=".doc") returned 4 [0056.868] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.868] lstrlenW (lpString=".docx") returned 5 [0056.868] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0056.868] lstrlenW (lpString=".pdf") returned 4 [0056.868] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.868] lstrlenW (lpString=".xls") returned 4 [0056.869] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.869] lstrlenW (lpString=".xlsx") returned 5 [0056.869] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0056.869] lstrlenW (lpString=".ppt") returned 4 [0056.869] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.869] lstrlenW (lpString=".zip") returned 4 [0056.869] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.869] lstrlenW (lpString=".rar") returned 4 [0056.869] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.869] lstrlenW (lpString=".bz2") returned 4 [0056.869] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.869] lstrlenW (lpString=".7z") returned 3 [0056.869] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.870] lstrlenW (lpString=".dbf") returned 4 [0056.870] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.870] lstrlenW (lpString=".1cd") returned 4 [0056.870] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.870] lstrlenW (lpString=".jpg") returned 4 [0056.870] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.870] lstrlenW (lpString=".doc") returned 4 [0056.870] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.871] lstrlenW (lpString=".docx") returned 5 [0056.871] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0056.871] lstrlenW (lpString=".pdf") returned 4 [0056.871] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.871] lstrlenW (lpString=".xls") returned 4 [0056.871] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.871] lstrlenW (lpString=".xlsx") returned 5 [0056.871] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0056.871] lstrlenW (lpString=".ppt") returned 4 [0056.871] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.871] lstrlenW (lpString=".zip") returned 4 [0056.871] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.871] lstrlenW (lpString=".rar") returned 4 [0056.871] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.871] lstrlenW (lpString=".bz2") returned 4 [0056.871] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.871] lstrlenW (lpString=".7z") returned 3 [0056.871] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.871] lstrlenW (lpString=".dbf") returned 4 [0056.871] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.871] lstrlenW (lpString=".1cd") returned 4 [0056.871] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0056.871] lstrlenW (lpString=".jpg") returned 4 [0056.871] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.872] lstrcmpiW (lpString1=".DLL", lpString2=".NcOv") returned -1 [0056.872] lstrlenW (lpString="EEINTL.DLL") returned 10 [0056.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.873] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=64096) returned 1 [0056.873] CloseHandle (hObject=0x1bc) returned 1 [0056.873] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 0x20 [0056.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0056.874] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.874] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.874] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.874] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0056.875] GetLastError () returned 0x0 [0056.875] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xfa60, lpOverlapped=0x0) returned 1 [0056.886] WriteFile (in: hFile=0x214, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xfa70, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xfa70, lpOverlapped=0x0) returned 1 [0056.888] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.889] WriteFile (in: hFile=0x214, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0056.889] SetEndOfFile (hFile=0x214) returned 1 [0056.889] CloseHandle (hObject=0x214) returned 1 [0056.889] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.889] SetEndOfFile (hFile=0x1bc) returned 1 [0056.894] CloseHandle (hObject=0x1bc) returned 1 [0056.895] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0056.896] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 1 [0056.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.978] lstrlenW (lpString=".doc") returned 4 [0056.995] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.995] lstrlenW (lpString=".docx") returned 5 [0056.995] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.995] lstrlenW (lpString=".pdf") returned 4 [0056.995] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.995] lstrlenW (lpString=".xls") returned 4 [0056.996] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".xlsx") returned 5 [0056.996] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.996] lstrlenW (lpString=".ppt") returned 4 [0056.996] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.996] lstrlenW (lpString=".zip") returned 4 [0056.996] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".rar") returned 4 [0056.996] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".bz2") returned 4 [0056.996] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.996] lstrlenW (lpString=".7z") returned 3 [0056.996] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.996] lstrlenW (lpString=".dbf") returned 4 [0056.996] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.996] lstrlenW (lpString=".1cd") returned 4 [0056.996] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.996] lstrlenW (lpString=".jpg") returned 4 [0056.996] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.996] lstrlenW (lpString=".doc") returned 4 [0056.996] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".docx") returned 5 [0056.996] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.996] lstrlenW (lpString=".pdf") returned 4 [0056.997] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".xls") returned 4 [0056.997] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".xlsx") returned 5 [0056.997] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.997] lstrlenW (lpString=".ppt") returned 4 [0056.997] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.997] lstrlenW (lpString=".zip") returned 4 [0056.997] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".rar") returned 4 [0056.997] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".bz2") returned 4 [0056.997] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.997] lstrlenW (lpString=".7z") returned 3 [0056.997] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.997] lstrlenW (lpString=".dbf") returned 4 [0056.997] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.997] lstrlenW (lpString=".1cd") returned 4 [0056.997] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0056.997] lstrlenW (lpString=".jpg") returned 4 [0056.997] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.997] lstrcmpiW (lpString1=".CNT", lpString2=".NcOv") returned -1 [0056.997] lstrlenW (lpString="EQNEDT32.CNT") returned 12 [0056.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0057.002] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=2557) returned 1 [0057.002] CloseHandle (hObject=0x1bc) returned 1 [0057.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 0x20 [0057.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0057.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0057.023] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.023] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.024] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.026] GetLastError () returned 0x0 [0057.026] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x9fd, lpOverlapped=0x0) returned 1 [0057.032] WriteFile (in: hFile=0x214, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0057.036] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.038] WriteFile (in: hFile=0x214, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.038] SetEndOfFile (hFile=0x214) returned 1 [0057.039] CloseHandle (hObject=0x214) returned 1 [0057.040] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.040] SetEndOfFile (hFile=0x1bc) returned 1 [0057.045] CloseHandle (hObject=0x1bc) returned 1 [0057.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0057.046] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 1 [0057.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.050] lstrlenW (lpString=".doc") returned 4 [0057.050] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0057.050] lstrlenW (lpString=".docx") returned 5 [0057.050] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0057.050] lstrlenW (lpString=".pdf") returned 4 [0057.050] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0057.050] lstrlenW (lpString=".xls") returned 4 [0057.050] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0057.050] lstrlenW (lpString=".xlsx") returned 5 [0057.050] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0057.050] lstrlenW (lpString=".ppt") returned 4 [0057.050] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0057.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.050] lstrlenW (lpString=".zip") returned 4 [0057.050] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0057.050] lstrlenW (lpString=".rar") returned 4 [0057.050] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0057.050] lstrlenW (lpString=".bz2") returned 4 [0057.050] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0057.050] lstrlenW (lpString=".7z") returned 3 [0057.050] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0057.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.050] lstrlenW (lpString=".dbf") returned 4 [0057.051] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0057.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.051] lstrlenW (lpString=".1cd") returned 4 [0057.051] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0057.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.051] lstrlenW (lpString=".jpg") returned 4 [0057.051] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0057.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.051] lstrlenW (lpString=".doc") returned 4 [0057.051] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0057.051] lstrlenW (lpString=".docx") returned 5 [0057.051] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0057.051] lstrlenW (lpString=".pdf") returned 4 [0057.051] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0057.051] lstrlenW (lpString=".xls") returned 4 [0057.051] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0057.051] lstrlenW (lpString=".xlsx") returned 5 [0057.051] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0057.051] lstrlenW (lpString=".ppt") returned 4 [0057.051] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0057.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.051] lstrlenW (lpString=".zip") returned 4 [0057.051] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0057.051] lstrlenW (lpString=".rar") returned 4 [0057.051] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0057.051] lstrlenW (lpString=".bz2") returned 4 [0057.051] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0057.051] lstrlenW (lpString=".7z") returned 3 [0057.051] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0057.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.052] lstrlenW (lpString=".dbf") returned 4 [0057.052] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0057.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.052] lstrlenW (lpString=".1cd") returned 4 [0057.052] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0057.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0057.052] lstrlenW (lpString=".jpg") returned 4 [0057.052] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0057.052] lstrcmpiW (lpString1=".EXE", lpString2=".NcOv") returned -1 [0057.052] lstrlenW (lpString="EQNEDT32.EXE") returned 12 [0057.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0057.054] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=543304) returned 1 [0057.054] CloseHandle (hObject=0x1bc) returned 1 [0057.054] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 0x20 [0057.054] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0057.055] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0057.056] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.058] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.058] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.060] GetLastError () returned 0x0 [0057.060] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x84a48, lpOverlapped=0x0) returned 1 [0057.175] WriteFile (in: hFile=0x214, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x84a50, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x84a50, lpOverlapped=0x0) returned 1 [0057.742] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.743] WriteFile (in: hFile=0x214, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.743] SetEndOfFile (hFile=0x214) returned 1 [0057.743] CloseHandle (hObject=0x214) returned 1 [0057.743] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.743] SetEndOfFile (hFile=0x1bc) returned 1 [0057.749] CloseHandle (hObject=0x1bc) returned 1 [0057.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0057.750] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 1 [0057.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.750] lstrlenW (lpString=".doc") returned 4 [0057.750] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0057.750] lstrlenW (lpString=".docx") returned 5 [0057.750] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0057.750] lstrlenW (lpString=".pdf") returned 4 [0057.750] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0057.750] lstrlenW (lpString=".xls") returned 4 [0057.750] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0057.750] lstrlenW (lpString=".xlsx") returned 5 [0057.750] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0057.750] lstrlenW (lpString=".ppt") returned 4 [0057.750] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0057.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.750] lstrlenW (lpString=".zip") returned 4 [0057.750] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0057.750] lstrlenW (lpString=".rar") returned 4 [0057.750] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0057.750] lstrlenW (lpString=".bz2") returned 4 [0057.750] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0057.750] lstrlenW (lpString=".7z") returned 3 [0057.751] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0057.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.751] lstrlenW (lpString=".dbf") returned 4 [0057.751] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0057.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.751] lstrlenW (lpString=".1cd") returned 4 [0057.751] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0057.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.751] lstrlenW (lpString=".jpg") returned 4 [0057.751] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0057.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.751] lstrlenW (lpString=".doc") returned 4 [0057.751] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0057.751] lstrlenW (lpString=".docx") returned 5 [0057.751] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0057.751] lstrlenW (lpString=".pdf") returned 4 [0057.751] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0057.751] lstrlenW (lpString=".xls") returned 4 [0057.751] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0057.751] lstrlenW (lpString=".xlsx") returned 5 [0057.751] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0057.751] lstrlenW (lpString=".ppt") returned 4 [0057.751] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0057.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.751] lstrlenW (lpString=".zip") returned 4 [0057.751] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0057.751] lstrlenW (lpString=".rar") returned 4 [0057.751] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0057.751] lstrlenW (lpString=".bz2") returned 4 [0057.751] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0057.751] lstrlenW (lpString=".7z") returned 3 [0057.751] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0057.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.751] lstrlenW (lpString=".dbf") returned 4 [0057.751] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0057.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.752] lstrlenW (lpString=".1cd") returned 4 [0057.752] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0057.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0057.752] lstrlenW (lpString=".jpg") returned 4 [0057.752] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0057.752] lstrcmpiW (lpString1=".manifest", lpString2=".NcOv") returned -1 [0057.752] lstrlenW (lpString="eqnedt32.exe.manifest") returned 21 [0057.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.003] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=566) returned 1 [0058.003] CloseHandle (hObject=0x204) returned 1 [0058.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 0x20 [0058.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0058.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.003] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.003] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0058.004] GetLastError () returned 0x0 [0058.004] ReadFile (in: hFile=0x204, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x236, lpOverlapped=0x0) returned 1 [0058.005] WriteFile (in: hFile=0x228, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x240, lpOverlapped=0x0) returned 1 [0058.006] ReadFile (in: hFile=0x204, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.006] WriteFile (in: hFile=0x228, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xfe, lpOverlapped=0x0) returned 1 [0058.006] SetEndOfFile (hFile=0x228) returned 1 [0058.006] CloseHandle (hObject=0x228) returned 1 [0058.007] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.007] SetEndOfFile (hFile=0x204) returned 1 [0058.008] CloseHandle (hObject=0x204) returned 1 [0058.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0058.008] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 1 [0058.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.008] lstrlenW (lpString=".doc") returned 4 [0058.008] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0058.008] lstrlenW (lpString=".docx") returned 5 [0058.008] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0058.009] lstrlenW (lpString=".pdf") returned 4 [0058.009] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString=".xls") returned 4 [0058.009] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString=".xlsx") returned 5 [0058.009] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0058.009] lstrlenW (lpString=".ppt") returned 4 [0058.009] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.009] lstrlenW (lpString=".zip") returned 4 [0058.009] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString=".rar") returned 4 [0058.009] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString=".bz2") returned 4 [0058.009] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString=".7z") returned 3 [0058.009] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.009] lstrlenW (lpString=".dbf") returned 4 [0058.009] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.009] lstrlenW (lpString=".1cd") returned 4 [0058.009] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.009] lstrlenW (lpString=".jpg") returned 4 [0058.009] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.009] lstrlenW (lpString=".doc") returned 4 [0058.009] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString=".docx") returned 5 [0058.010] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0058.010] lstrlenW (lpString=".pdf") returned 4 [0058.010] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString=".xls") returned 4 [0058.010] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString=".xlsx") returned 5 [0058.010] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0058.010] lstrlenW (lpString=".ppt") returned 4 [0058.010] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.010] lstrlenW (lpString=".zip") returned 4 [0058.010] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString=".rar") returned 4 [0058.010] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString=".bz2") returned 4 [0058.010] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString=".7z") returned 3 [0058.010] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0058.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.010] lstrlenW (lpString=".dbf") returned 4 [0058.010] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.010] lstrlenW (lpString=".1cd") returned 4 [0058.010] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0058.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0058.010] lstrlenW (lpString=".jpg") returned 4 [0058.010] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0058.011] lstrcmpiW (lpString1=".HLP", lpString2=".NcOv") returned -1 [0058.011] lstrlenW (lpString="EQNEDT32.HLP") returned 12 [0058.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.011] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=176311) returned 1 [0058.011] CloseHandle (hObject=0x204) returned 1 [0058.011] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 0x20 [0058.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0058.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.012] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.012] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0058.013] GetLastError () returned 0x0 [0058.013] ReadFile (in: hFile=0x204, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x2b0b7, lpOverlapped=0x0) returned 1 [0058.019] WriteFile (in: hFile=0x228, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x2b0c0, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x2b0c0, lpOverlapped=0x0) returned 1 [0058.025] ReadFile (in: hFile=0x204, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.025] WriteFile (in: hFile=0x228, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.025] SetEndOfFile (hFile=0x228) returned 1 [0058.025] CloseHandle (hObject=0x228) returned 1 [0058.025] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.025] SetEndOfFile (hFile=0x204) returned 1 [0058.028] CloseHandle (hObject=0x204) returned 1 [0058.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0058.028] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 1 [0058.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.028] lstrlenW (lpString=".doc") returned 4 [0058.028] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0058.029] lstrlenW (lpString=".docx") returned 5 [0058.029] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0058.029] lstrlenW (lpString=".pdf") returned 4 [0058.029] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0058.029] lstrlenW (lpString=".xls") returned 4 [0058.029] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0058.029] lstrlenW (lpString=".xlsx") returned 5 [0058.029] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0058.029] lstrlenW (lpString=".ppt") returned 4 [0058.029] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0058.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.029] lstrlenW (lpString=".zip") returned 4 [0058.029] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0058.029] lstrlenW (lpString=".rar") returned 4 [0058.029] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0058.029] lstrlenW (lpString=".bz2") returned 4 [0058.029] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0058.029] lstrlenW (lpString=".7z") returned 3 [0058.029] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0058.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.029] lstrlenW (lpString=".dbf") returned 4 [0058.029] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0058.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.029] lstrlenW (lpString=".1cd") returned 4 [0058.029] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0058.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.029] lstrlenW (lpString=".jpg") returned 4 [0058.029] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0058.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.030] lstrlenW (lpString=".doc") returned 4 [0058.030] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0058.030] lstrlenW (lpString=".docx") returned 5 [0058.030] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0058.030] lstrlenW (lpString=".pdf") returned 4 [0058.030] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0058.030] lstrlenW (lpString=".xls") returned 4 [0058.030] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0058.030] lstrlenW (lpString=".xlsx") returned 5 [0058.030] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0058.030] lstrlenW (lpString=".ppt") returned 4 [0058.030] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0058.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.030] lstrlenW (lpString=".zip") returned 4 [0058.030] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0058.030] lstrlenW (lpString=".rar") returned 4 [0058.030] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0058.030] lstrlenW (lpString=".bz2") returned 4 [0058.030] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0058.030] lstrlenW (lpString=".7z") returned 3 [0058.030] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0058.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.030] lstrlenW (lpString=".dbf") returned 4 [0058.030] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0058.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.030] lstrlenW (lpString=".1cd") returned 4 [0058.030] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0058.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0058.031] lstrlenW (lpString=".jpg") returned 4 [0058.031] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0058.031] lstrcmpiW (lpString1=".TTF", lpString2=".NcOv") returned 1 [0058.031] lstrlenW (lpString="MTEXTRA.TTF") returned 11 [0058.031] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.032] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=7656) returned 1 [0058.032] CloseHandle (hObject=0x204) returned 1 [0058.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 0x20 [0058.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0058.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.032] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.032] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0058.033] GetLastError () returned 0x0 [0058.033] ReadFile (in: hFile=0x204, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x1de8, lpOverlapped=0x0) returned 1 [0058.077] WriteFile (in: hFile=0x228, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x1df0, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x1df0, lpOverlapped=0x0) returned 1 [0058.078] ReadFile (in: hFile=0x204, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.079] WriteFile (in: hFile=0x228, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xea, lpOverlapped=0x0) returned 1 [0058.079] SetEndOfFile (hFile=0x228) returned 1 [0058.079] CloseHandle (hObject=0x228) returned 1 [0058.079] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.079] SetEndOfFile (hFile=0x204) returned 1 [0058.080] CloseHandle (hObject=0x204) returned 1 [0058.080] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0058.081] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 1 [0058.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.081] lstrlenW (lpString=".doc") returned 4 [0058.081] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0058.081] lstrlenW (lpString=".docx") returned 5 [0058.081] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0058.081] lstrlenW (lpString=".pdf") returned 4 [0058.081] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0058.081] lstrlenW (lpString=".xls") returned 4 [0058.081] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0058.081] lstrlenW (lpString=".xlsx") returned 5 [0058.081] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0058.081] lstrlenW (lpString=".ppt") returned 4 [0058.081] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0058.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.081] lstrlenW (lpString=".zip") returned 4 [0058.081] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0058.082] lstrlenW (lpString=".rar") returned 4 [0058.082] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0058.082] lstrlenW (lpString=".bz2") returned 4 [0058.082] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0058.082] lstrlenW (lpString=".7z") returned 3 [0058.082] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.082] lstrlenW (lpString=".dbf") returned 4 [0058.082] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.082] lstrlenW (lpString=".1cd") returned 4 [0058.082] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.082] lstrlenW (lpString=".jpg") returned 4 [0058.082] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.082] lstrlenW (lpString=".doc") returned 4 [0058.082] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0058.082] lstrlenW (lpString=".docx") returned 5 [0058.082] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0058.082] lstrlenW (lpString=".pdf") returned 4 [0058.082] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0058.082] lstrlenW (lpString=".xls") returned 4 [0058.082] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0058.082] lstrlenW (lpString=".xlsx") returned 5 [0058.082] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0058.083] lstrlenW (lpString=".ppt") returned 4 [0058.083] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0058.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.083] lstrlenW (lpString=".zip") returned 4 [0058.083] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0058.083] lstrlenW (lpString=".rar") returned 4 [0058.083] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0058.083] lstrlenW (lpString=".bz2") returned 4 [0058.083] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0058.083] lstrlenW (lpString=".7z") returned 3 [0058.083] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0058.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.083] lstrlenW (lpString=".dbf") returned 4 [0058.083] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0058.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.083] lstrlenW (lpString=".1cd") returned 4 [0058.083] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0058.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0058.083] lstrlenW (lpString=".jpg") returned 4 [0058.083] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0058.083] lstrcmpiW (lpString1=".DLL", lpString2=".NcOv") returned -1 [0058.083] lstrlenW (lpString="MSOEURO.DLL") returned 11 [0058.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.084] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=31104) returned 1 [0058.084] CloseHandle (hObject=0x204) returned 1 [0058.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 0x20 [0058.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0058.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.085] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.085] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0058.098] GetLastError () returned 0x0 [0058.098] ReadFile (in: hFile=0x204, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x7980, lpOverlapped=0x0) returned 1 [0058.917] WriteFile (in: hFile=0x228, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x7990, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x7990, lpOverlapped=0x0) returned 1 [0059.199] ReadFile (in: hFile=0x204, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.199] WriteFile (in: hFile=0x228, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xea, lpOverlapped=0x0) returned 1 [0059.199] SetEndOfFile (hFile=0x228) returned 1 [0059.199] CloseHandle (hObject=0x228) returned 1 [0059.200] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.200] SetEndOfFile (hFile=0x204) returned 1 [0059.201] CloseHandle (hObject=0x204) returned 1 [0059.201] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0059.201] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 1 [0059.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.202] lstrlenW (lpString=".doc") returned 4 [0059.202] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.202] lstrlenW (lpString=".docx") returned 5 [0059.202] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0059.202] lstrlenW (lpString=".pdf") returned 4 [0059.202] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.202] lstrlenW (lpString=".xls") returned 4 [0059.202] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.202] lstrlenW (lpString=".xlsx") returned 5 [0059.202] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0059.202] lstrlenW (lpString=".ppt") returned 4 [0059.202] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.202] lstrlenW (lpString=".zip") returned 4 [0059.202] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.202] lstrlenW (lpString=".rar") returned 4 [0059.202] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.202] lstrlenW (lpString=".bz2") returned 4 [0059.202] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.202] lstrlenW (lpString=".7z") returned 3 [0059.202] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.202] lstrlenW (lpString=".dbf") returned 4 [0059.203] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.203] lstrlenW (lpString=".1cd") returned 4 [0059.203] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.203] lstrlenW (lpString=".jpg") returned 4 [0059.203] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.203] lstrlenW (lpString=".doc") returned 4 [0059.203] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.203] lstrlenW (lpString=".docx") returned 5 [0059.203] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0059.203] lstrlenW (lpString=".pdf") returned 4 [0059.203] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.203] lstrlenW (lpString=".xls") returned 4 [0059.203] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.203] lstrlenW (lpString=".xlsx") returned 5 [0059.203] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0059.203] lstrlenW (lpString=".ppt") returned 4 [0059.203] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.203] lstrlenW (lpString=".zip") returned 4 [0059.203] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.203] lstrlenW (lpString=".rar") returned 4 [0059.203] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.203] lstrlenW (lpString=".bz2") returned 4 [0059.204] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.204] lstrlenW (lpString=".7z") returned 3 [0059.204] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.204] lstrlenW (lpString=".dbf") returned 4 [0059.204] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.204] lstrlenW (lpString=".1cd") returned 4 [0059.204] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0059.204] lstrlenW (lpString=".jpg") returned 4 [0059.204] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.204] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0059.204] lstrlenW (lpString="offfiltx.dll") returned 12 [0059.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0060.998] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=1486736) returned 1 [0060.998] CloseHandle (hObject=0x1ac) returned 1 [0060.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 0x20 [0060.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0060.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0060.998] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.998] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0061.582] GetLastError () returned 0x0 [0061.582] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0061.626] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0063.380] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x6afa0, lpOverlapped=0x0) returned 1 [0063.399] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x6afb0, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x6afb0, lpOverlapped=0x0) returned 1 [0063.412] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0063.412] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0063.412] SetEndOfFile (hFile=0x1c8) returned 1 [0063.413] CloseHandle (hObject=0x1c8) returned 1 [0063.413] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0063.413] SetEndOfFile (hFile=0x1ac) returned 1 [0063.418] CloseHandle (hObject=0x1ac) returned 1 [0063.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0063.419] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 1 [0063.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.420] lstrlenW (lpString=".doc") returned 4 [0063.420] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0063.420] lstrlenW (lpString=".docx") returned 5 [0063.420] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0063.420] lstrlenW (lpString=".pdf") returned 4 [0063.420] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0063.420] lstrlenW (lpString=".xls") returned 4 [0063.420] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0063.420] lstrlenW (lpString=".xlsx") returned 5 [0063.420] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0063.420] lstrlenW (lpString=".ppt") returned 4 [0063.420] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0063.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.420] lstrlenW (lpString=".zip") returned 4 [0063.420] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0063.420] lstrlenW (lpString=".rar") returned 4 [0063.420] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0063.420] lstrlenW (lpString=".bz2") returned 4 [0063.420] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0063.420] lstrlenW (lpString=".7z") returned 3 [0063.420] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0063.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.420] lstrlenW (lpString=".dbf") returned 4 [0063.420] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0063.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.420] lstrlenW (lpString=".1cd") returned 4 [0063.420] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0063.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.597] lstrlenW (lpString=".jpg") returned 4 [0063.597] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0063.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.597] lstrlenW (lpString=".doc") returned 4 [0063.597] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0063.597] lstrlenW (lpString=".docx") returned 5 [0063.597] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0063.597] lstrlenW (lpString=".pdf") returned 4 [0063.597] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0063.597] lstrlenW (lpString=".xls") returned 4 [0063.597] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0063.597] lstrlenW (lpString=".xlsx") returned 5 [0063.597] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0063.597] lstrlenW (lpString=".ppt") returned 4 [0063.597] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0063.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.597] lstrlenW (lpString=".zip") returned 4 [0063.598] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0063.598] lstrlenW (lpString=".rar") returned 4 [0063.598] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0063.598] lstrlenW (lpString=".bz2") returned 4 [0063.598] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0063.598] lstrlenW (lpString=".7z") returned 3 [0063.598] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0063.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.598] lstrlenW (lpString=".dbf") returned 4 [0063.598] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0063.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.598] lstrlenW (lpString=".1cd") returned 4 [0063.598] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0063.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0063.598] lstrlenW (lpString=".jpg") returned 4 [0063.598] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0063.598] lstrcmpiW (lpString1=".FLT", lpString2=".NcOv") returned -1 [0063.598] lstrlenW (lpString="GIFIMP32.FLT") returned 12 [0063.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0064.121] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x327ff1c | out: lpFileSize=0x327ff1c*=320384) returned 1 [0064.121] CloseHandle (hObject=0x194) returned 1 [0064.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 0x20 [0064.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0064.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0064.121] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.122] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0064.122] GetLastError () returned 0x0 [0064.122] ReadFile (in: hFile=0x194, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x4e380, lpOverlapped=0x0) returned 1 [0064.186] WriteFile (in: hFile=0x204, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0x4e390, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0x4e390, lpOverlapped=0x0) returned 1 [0064.195] ReadFile (in: hFile=0x194, lpBuffer=0x3b80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x327fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesRead=0x327fed4*=0x0, lpOverlapped=0x0) returned 1 [0064.195] WriteFile (in: hFile=0x204, lpBuffer=0x3b80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x327fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b80020*, lpNumberOfBytesWritten=0x327fc9c*=0xec, lpOverlapped=0x0) returned 1 [0064.196] SetEndOfFile (hFile=0x204) Thread: id = 17 os_tid = 0xb30 [0037.779] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x37b1098 [0037.779] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x37c10a0 [0037.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a8f8 [0037.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x55ad28 [0037.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a910 [0037.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x3c90020 [0037.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a928 [0037.780] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a928, Size=0x20) returned 0x5a3600 [0037.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a928 [0037.780] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a928, Size=0x20) returned 0x5a35b0 [0037.780] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0037.781] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0037.781] Wow64DisableWow64FsRedirection (in: OldValue=0x34cff58 | out: OldValue=0x34cff58*=0x0) returned 1 [0037.781] lstrlenW (lpString="kernel32.dll") returned 12 [0037.781] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a3600 | out: hHeap=0x500000) returned 1 [0037.781] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0037.781] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a35b0 | out: hHeap=0x500000) returned 1 [0037.781] Sleep (dwMilliseconds=0x64) [0037.986] lstrcmpiW (lpString1=".ttf", lpString2=".NcOv") returned 1 [0037.986] lstrlenW (lpString="kor_boot.ttf") returned 12 [0037.986] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0037.991] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=2371360) returned 1 [0037.991] CloseHandle (hObject=0x188) returned 1 [0037.991] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0037.991] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.991] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0 [0037.991] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.991] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.991] lstrlenW (lpString=".doc") returned 4 [0037.991] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0037.991] lstrlenW (lpString=".docx") returned 5 [0037.991] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0037.991] lstrlenW (lpString=".pdf") returned 4 [0037.991] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0037.991] lstrlenW (lpString=".xls") returned 4 [0037.991] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0037.991] lstrlenW (lpString=".xlsx") returned 5 [0037.991] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0037.991] lstrlenW (lpString=".ppt") returned 4 [0037.991] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0037.991] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.991] lstrlenW (lpString=".zip") returned 4 [0037.991] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0037.991] lstrlenW (lpString=".rar") returned 4 [0037.991] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0037.991] lstrlenW (lpString=".bz2") returned 4 [0037.992] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString=".7z") returned 3 [0037.992] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0037.992] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.992] lstrlenW (lpString=".dbf") returned 4 [0037.992] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.992] lstrlenW (lpString=".1cd") returned 4 [0037.992] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.992] lstrlenW (lpString=".jpg") returned 4 [0037.992] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.992] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.992] lstrlenW (lpString=".doc") returned 4 [0037.992] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString=".docx") returned 5 [0037.992] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0037.992] lstrlenW (lpString=".pdf") returned 4 [0037.992] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString=".xls") returned 4 [0037.992] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0037.992] lstrlenW (lpString=".xlsx") returned 5 [0037.992] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0037.992] lstrlenW (lpString=".ppt") returned 4 [0037.992] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.992] lstrlenW (lpString=".zip") returned 4 [0037.992] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0037.992] lstrlenW (lpString=".rar") returned 4 [0037.992] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString=".bz2") returned 4 [0037.992] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0037.992] lstrlenW (lpString=".7z") returned 3 [0037.992] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0037.992] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.993] lstrlenW (lpString=".dbf") returned 4 [0037.993] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0037.993] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.993] lstrlenW (lpString=".1cd") returned 4 [0037.993] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0037.993] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0037.993] lstrlenW (lpString=".jpg") returned 4 [0037.993] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0037.993] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0037.993] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0037.993] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0037.993] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=93248) returned 1 [0037.993] CloseHandle (hObject=0x188) returned 1 [0037.993] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0037.993] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.994] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.994] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.994] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.994] lstrlenW (lpString=".doc") returned 4 [0037.994] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.994] lstrlenW (lpString=".docx") returned 5 [0037.994] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.994] lstrlenW (lpString=".pdf") returned 4 [0037.994] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.994] lstrlenW (lpString=".xls") returned 4 [0037.994] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.994] lstrlenW (lpString=".xlsx") returned 5 [0037.994] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.994] lstrlenW (lpString=".ppt") returned 4 [0037.994] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.994] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.994] lstrlenW (lpString=".zip") returned 4 [0037.994] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.994] lstrlenW (lpString=".rar") returned 4 [0037.994] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.994] lstrlenW (lpString=".bz2") returned 4 [0037.994] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.994] lstrlenW (lpString=".7z") returned 3 [0037.994] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.994] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.994] lstrlenW (lpString=".dbf") returned 4 [0037.994] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.994] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.994] lstrlenW (lpString=".1cd") returned 4 [0037.994] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.994] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.994] lstrlenW (lpString=".jpg") returned 4 [0037.994] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.994] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.994] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.994] lstrlenW (lpString=".doc") returned 4 [0037.995] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.995] lstrlenW (lpString=".docx") returned 5 [0037.995] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.995] lstrlenW (lpString=".pdf") returned 4 [0037.995] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.995] lstrlenW (lpString=".xls") returned 4 [0037.995] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.995] lstrlenW (lpString=".xlsx") returned 5 [0037.995] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.995] lstrlenW (lpString=".ppt") returned 4 [0037.995] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.995] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.995] lstrlenW (lpString=".zip") returned 4 [0037.995] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.995] lstrlenW (lpString=".rar") returned 4 [0037.995] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.995] lstrlenW (lpString=".bz2") returned 4 [0037.995] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.995] lstrlenW (lpString=".7z") returned 3 [0037.995] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.995] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.995] lstrlenW (lpString=".dbf") returned 4 [0037.995] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.995] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.995] lstrlenW (lpString=".1cd") returned 4 [0037.995] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.995] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0037.995] lstrlenW (lpString=".jpg") returned 4 [0037.995] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.995] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0037.995] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0037.995] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0037.996] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=90688) returned 1 [0037.996] CloseHandle (hObject=0x188) returned 1 [0037.996] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0037.996] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.996] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.996] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.996] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.996] lstrlenW (lpString=".doc") returned 4 [0037.996] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.996] lstrlenW (lpString=".docx") returned 5 [0037.996] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.996] lstrlenW (lpString=".pdf") returned 4 [0037.996] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.996] lstrlenW (lpString=".xls") returned 4 [0037.996] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.996] lstrlenW (lpString=".xlsx") returned 5 [0037.996] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.996] lstrlenW (lpString=".ppt") returned 4 [0037.996] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.996] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.996] lstrlenW (lpString=".zip") returned 4 [0037.996] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.996] lstrlenW (lpString=".rar") returned 4 [0037.996] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.996] lstrlenW (lpString=".bz2") returned 4 [0037.996] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.997] lstrlenW (lpString=".7z") returned 3 [0037.997] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.997] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.997] lstrlenW (lpString=".dbf") returned 4 [0037.997] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.997] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.997] lstrlenW (lpString=".1cd") returned 4 [0037.997] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.997] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.997] lstrlenW (lpString=".jpg") returned 4 [0037.997] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.997] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.997] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.997] lstrlenW (lpString=".doc") returned 4 [0037.997] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.997] lstrlenW (lpString=".docx") returned 5 [0037.997] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.997] lstrlenW (lpString=".pdf") returned 4 [0037.997] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.997] lstrlenW (lpString=".xls") returned 4 [0037.997] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.997] lstrlenW (lpString=".xlsx") returned 5 [0037.997] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.997] lstrlenW (lpString=".ppt") returned 4 [0037.997] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.997] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.997] lstrlenW (lpString=".zip") returned 4 [0037.997] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.997] lstrlenW (lpString=".rar") returned 4 [0037.997] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.997] lstrlenW (lpString=".bz2") returned 4 [0037.997] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.997] lstrlenW (lpString=".7z") returned 3 [0037.997] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.997] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.997] lstrlenW (lpString=".dbf") returned 4 [0037.997] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.998] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.998] lstrlenW (lpString=".1cd") returned 4 [0037.998] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.998] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0037.998] lstrlenW (lpString=".jpg") returned 4 [0037.998] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.998] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0037.998] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0037.998] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0037.998] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=90704) returned 1 [0037.998] CloseHandle (hObject=0x188) returned 1 [0037.998] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0037.998] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0037.998] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.998] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0037.998] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0037.998] lstrlenW (lpString=".doc") returned 4 [0037.998] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.998] lstrlenW (lpString=".docx") returned 5 [0037.998] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.998] lstrlenW (lpString=".pdf") returned 4 [0037.999] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.999] lstrlenW (lpString=".xls") returned 4 [0037.999] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.999] lstrlenW (lpString=".xlsx") returned 5 [0037.999] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0037.999] lstrlenW (lpString=".ppt") returned 4 [0037.999] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0037.999] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0037.999] lstrlenW (lpString=".zip") returned 4 [0037.999] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0037.999] lstrlenW (lpString=".rar") returned 4 [0037.999] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0037.999] lstrlenW (lpString=".bz2") returned 4 [0037.999] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0037.999] lstrlenW (lpString=".7z") returned 3 [0037.999] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0037.999] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0037.999] lstrlenW (lpString=".dbf") returned 4 [0037.999] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0037.999] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0037.999] lstrlenW (lpString=".1cd") returned 4 [0037.999] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0037.999] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0037.999] lstrlenW (lpString=".jpg") returned 4 [0037.999] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0037.999] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0037.999] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0037.999] lstrlenW (lpString=".doc") returned 4 [0037.999] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0037.999] lstrlenW (lpString=".docx") returned 5 [0037.999] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0037.999] lstrlenW (lpString=".pdf") returned 4 [0037.999] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0037.999] lstrlenW (lpString=".xls") returned 4 [0037.999] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0037.999] lstrlenW (lpString=".xlsx") returned 5 [0038.000] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0038.000] lstrlenW (lpString=".ppt") returned 4 [0038.000] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0038.000] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0038.000] lstrlenW (lpString=".zip") returned 4 [0038.000] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0038.000] lstrlenW (lpString=".rar") returned 4 [0038.000] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0038.000] lstrlenW (lpString=".bz2") returned 4 [0038.000] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0038.000] lstrlenW (lpString=".7z") returned 3 [0038.000] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0038.000] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0038.000] lstrlenW (lpString=".dbf") returned 4 [0038.000] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0038.000] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0038.000] lstrlenW (lpString=".1cd") returned 4 [0038.000] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0038.000] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0038.000] lstrlenW (lpString=".jpg") returned 4 [0038.000] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0038.000] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0038.000] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0038.000] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0038.000] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=76352) returned 1 [0038.001] CloseHandle (hObject=0x188) returned 1 [0038.001] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0038.001] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.001] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.001] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.001] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.001] lstrlenW (lpString=".doc") returned 4 [0038.001] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0038.001] lstrlenW (lpString=".docx") returned 5 [0038.001] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0038.001] lstrlenW (lpString=".pdf") returned 4 [0038.001] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0038.001] lstrlenW (lpString=".xls") returned 4 [0038.001] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0038.001] lstrlenW (lpString=".xlsx") returned 5 [0038.001] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0038.001] lstrlenW (lpString=".ppt") returned 4 [0038.001] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0038.001] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.001] lstrlenW (lpString=".zip") returned 4 [0038.001] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0038.001] lstrlenW (lpString=".rar") returned 4 [0038.001] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0038.001] lstrlenW (lpString=".bz2") returned 4 [0038.001] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0038.001] lstrlenW (lpString=".7z") returned 3 [0038.001] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0038.001] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.001] lstrlenW (lpString=".dbf") returned 4 [0038.001] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0038.001] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.001] lstrlenW (lpString=".1cd") returned 4 [0038.002] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0038.002] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.002] lstrlenW (lpString=".jpg") returned 4 [0038.002] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0038.002] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.002] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.002] lstrlenW (lpString=".doc") returned 4 [0038.002] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0038.002] lstrlenW (lpString=".docx") returned 5 [0038.002] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0038.002] lstrlenW (lpString=".pdf") returned 4 [0038.002] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0038.002] lstrlenW (lpString=".xls") returned 4 [0038.002] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0038.002] lstrlenW (lpString=".xlsx") returned 5 [0038.002] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0038.002] lstrlenW (lpString=".ppt") returned 4 [0038.002] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0038.002] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.002] lstrlenW (lpString=".zip") returned 4 [0038.002] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0038.002] lstrlenW (lpString=".rar") returned 4 [0038.002] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0038.002] lstrlenW (lpString=".bz2") returned 4 [0038.002] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0038.002] lstrlenW (lpString=".7z") returned 3 [0038.002] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0038.002] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.002] lstrlenW (lpString=".dbf") returned 4 [0038.002] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0038.002] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.002] lstrlenW (lpString=".1cd") returned 4 [0038.002] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0038.002] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0038.002] lstrlenW (lpString=".jpg") returned 4 [0038.002] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0038.003] lstrcmpiW (lpString1=".mui", lpString2=".NcOv") returned -1 [0038.003] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0038.003] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0038.003] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=75344) returned 1 [0038.003] CloseHandle (hObject=0x188) returned 1 [0038.003] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0038.003] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.003] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.003] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.003] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.003] lstrlenW (lpString=".doc") returned 4 [0038.003] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0038.003] lstrlenW (lpString=".docx") returned 5 [0038.003] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0038.003] lstrlenW (lpString=".pdf") returned 4 [0038.003] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0038.003] lstrlenW (lpString=".xls") returned 4 [0038.003] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0038.003] lstrlenW (lpString=".xlsx") returned 5 [0038.003] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0038.003] lstrlenW (lpString=".ppt") returned 4 [0038.004] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0038.004] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.004] lstrlenW (lpString=".zip") returned 4 [0038.004] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0038.004] lstrlenW (lpString=".rar") returned 4 [0038.004] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0038.004] lstrlenW (lpString=".bz2") returned 4 [0038.004] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0038.004] lstrlenW (lpString=".7z") returned 3 [0038.004] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0038.004] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.004] lstrlenW (lpString=".dbf") returned 4 [0038.004] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0038.004] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.004] lstrlenW (lpString=".1cd") returned 4 [0038.004] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0038.004] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.004] lstrlenW (lpString=".jpg") returned 4 [0038.004] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0038.004] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.004] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.004] lstrlenW (lpString=".doc") returned 4 [0038.004] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0038.004] lstrlenW (lpString=".docx") returned 5 [0038.004] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0038.004] lstrlenW (lpString=".pdf") returned 4 [0038.004] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0038.004] lstrlenW (lpString=".xls") returned 4 [0038.004] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0038.004] lstrlenW (lpString=".xlsx") returned 5 [0038.004] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0038.004] lstrlenW (lpString=".ppt") returned 4 [0038.004] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0038.004] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.004] lstrlenW (lpString=".zip") returned 4 [0038.004] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0038.005] lstrlenW (lpString=".rar") returned 4 [0038.005] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0038.005] lstrlenW (lpString=".bz2") returned 4 [0038.005] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0038.005] lstrlenW (lpString=".7z") returned 3 [0038.005] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0038.005] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.005] lstrlenW (lpString=".dbf") returned 4 [0038.005] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0038.005] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.005] lstrlenW (lpString=".1cd") returned 4 [0038.005] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0038.005] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0038.005] lstrlenW (lpString=".jpg") returned 4 [0038.005] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0038.005] lstrcmpiW (lpString1=".exe", lpString2=".NcOv") returned -1 [0038.005] lstrlenW (lpString="memtest.exe") returned 11 [0038.005] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0038.005] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=485760) returned 1 [0038.005] CloseHandle (hObject=0x188) returned 1 [0038.005] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0038.005] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\memtest.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.006] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.006] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0038.006] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0038.006] lstrlenW (lpString=".doc") returned 4 [0038.006] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0038.006] lstrlenW (lpString=".docx") returned 5 [0038.006] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0038.006] lstrlenW (lpString=".pdf") returned 4 [0038.006] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0038.006] lstrlenW (lpString=".xls") returned 4 [0038.006] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0038.006] lstrlenW (lpString=".xlsx") returned 5 [0038.006] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0038.006] lstrlenW (lpString=".ppt") returned 4 [0038.006] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0038.006] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0038.006] lstrlenW (lpString=".zip") returned 4 [0038.006] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0038.006] lstrlenW (lpString=".rar") returned 4 [0038.006] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0038.006] lstrlenW (lpString=".bz2") returned 4 [0038.006] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0038.006] lstrlenW (lpString=".7z") returned 3 [0038.006] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0038.009] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0038.009] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0038.009] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0038.009] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0038.009] ReadFile (in: hFile=0x188, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.105] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0038.105] ReadFile (in: hFile=0x188, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.162] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.162] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0038.162] ReadFile (in: hFile=0x188, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.468] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.468] WriteFile (in: hFile=0x188, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0038.484] SetEndOfFile (hFile=0x188) returned 1 [0038.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f450a0 [0038.603] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.604] WriteFile (in: hFile=0x188, lpBuffer=0x3f450a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f450a0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.604] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.604] WriteFile (in: hFile=0x188, lpBuffer=0x3f450a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f450a0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.605] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.605] WriteFile (in: hFile=0x188, lpBuffer=0x3f450a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f450a0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.607] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f450a0 | out: hHeap=0x500000) returned 1 [0038.607] CloseHandle (hObject=0x188) returned 1 [0041.757] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0041.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.757] lstrlenW (lpString=".doc") returned 4 [0041.757] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.757] lstrlenW (lpString=".docx") returned 5 [0041.757] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.757] lstrlenW (lpString=".pdf") returned 4 [0041.757] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString=".xls") returned 4 [0041.758] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString=".xlsx") returned 5 [0041.758] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.758] lstrlenW (lpString=".ppt") returned 4 [0041.758] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.758] lstrlenW (lpString=".zip") returned 4 [0041.758] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString=".rar") returned 4 [0041.758] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString=".bz2") returned 4 [0041.758] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.758] lstrlenW (lpString=".7z") returned 3 [0041.758] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.758] lstrlenW (lpString=".dbf") returned 4 [0041.758] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.758] lstrlenW (lpString=".1cd") returned 4 [0041.758] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.758] lstrlenW (lpString=".jpg") returned 4 [0041.758] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.758] lstrlenW (lpString=".doc") returned 4 [0041.758] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString=".docx") returned 5 [0041.758] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.758] lstrlenW (lpString=".pdf") returned 4 [0041.758] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.758] lstrlenW (lpString=".xls") returned 4 [0041.759] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.759] lstrlenW (lpString=".xlsx") returned 5 [0041.759] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.759] lstrlenW (lpString=".ppt") returned 4 [0041.759] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.759] lstrlenW (lpString=".zip") returned 4 [0041.759] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.759] lstrlenW (lpString=".rar") returned 4 [0041.759] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.759] lstrlenW (lpString=".bz2") returned 4 [0041.759] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.759] lstrlenW (lpString=".7z") returned 3 [0041.759] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.759] lstrlenW (lpString=".dbf") returned 4 [0041.759] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.759] lstrlenW (lpString=".1cd") returned 4 [0041.759] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0041.759] lstrlenW (lpString=".jpg") returned 4 [0041.759] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.759] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0041.759] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0041.759] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0041.760] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=2865664) returned 1 [0041.760] CloseHandle (hObject=0x188) returned 1 [0041.760] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi")) returned 0x2020 [0041.760] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0041.760] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0041.761] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0041.762] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0041.762] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.762] ReadFile (in: hFile=0x188, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.767] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.767] ReadFile (in: hFile=0x188, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.780] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.780] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.780] ReadFile (in: hFile=0x188, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.797] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.797] WriteFile (in: hFile=0x188, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0042.131] SetEndOfFile (hFile=0x188) returned 1 [0042.131] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f560d0 [0042.135] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.135] WriteFile (in: hFile=0x188, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.136] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.136] WriteFile (in: hFile=0x188, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.142] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.142] WriteFile (in: hFile=0x188, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.145] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f560d0 | out: hHeap=0x500000) returned 1 [0042.145] CloseHandle (hObject=0x188) returned 1 [0043.110] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0043.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.111] lstrlenW (lpString=".doc") returned 4 [0043.111] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.111] lstrlenW (lpString=".docx") returned 5 [0043.111] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0043.111] lstrlenW (lpString=".pdf") returned 4 [0043.111] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.111] lstrlenW (lpString=".xls") returned 4 [0043.111] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.111] lstrlenW (lpString=".xlsx") returned 5 [0043.111] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0043.111] lstrlenW (lpString=".ppt") returned 4 [0043.111] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.111] lstrlenW (lpString=".zip") returned 4 [0043.111] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.111] lstrlenW (lpString=".rar") returned 4 [0043.111] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.111] lstrlenW (lpString=".bz2") returned 4 [0043.111] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.111] lstrlenW (lpString=".7z") returned 3 [0043.111] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.111] lstrlenW (lpString=".dbf") returned 4 [0043.111] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.112] lstrlenW (lpString=".1cd") returned 4 [0043.112] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.112] lstrlenW (lpString=".jpg") returned 4 [0043.112] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.112] lstrlenW (lpString=".doc") returned 4 [0043.112] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.112] lstrlenW (lpString=".docx") returned 5 [0043.112] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0043.112] lstrlenW (lpString=".pdf") returned 4 [0043.112] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.112] lstrlenW (lpString=".xls") returned 4 [0043.112] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.112] lstrlenW (lpString=".xlsx") returned 5 [0043.112] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0043.112] lstrlenW (lpString=".ppt") returned 4 [0043.112] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.112] lstrlenW (lpString=".zip") returned 4 [0043.112] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.112] lstrlenW (lpString=".rar") returned 4 [0043.112] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.112] lstrlenW (lpString=".bz2") returned 4 [0043.112] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.112] lstrlenW (lpString=".7z") returned 3 [0043.112] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.112] lstrlenW (lpString=".dbf") returned 4 [0043.112] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.112] lstrlenW (lpString=".1cd") returned 4 [0043.112] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0043.112] lstrlenW (lpString=".jpg") returned 4 [0043.112] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.113] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0043.113] lstrlenW (lpString="WordMUI.msi") returned 11 [0043.113] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0043.113] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=2522624) returned 1 [0043.113] CloseHandle (hObject=0x188) returned 1 [0043.113] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi")) returned 0x2020 [0043.113] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0043.113] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0043.114] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0043.114] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0043.114] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0043.114] ReadFile (in: hFile=0x188, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.298] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0043.298] ReadFile (in: hFile=0x188, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.352] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.352] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0043.352] ReadFile (in: hFile=0x188, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.534] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.534] WriteFile (in: hFile=0x188, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0043.553] SetEndOfFile (hFile=0x188) returned 1 [0043.553] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f560d0 [0043.553] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.553] WriteFile (in: hFile=0x188, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.555] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.555] WriteFile (in: hFile=0x188, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.561] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.561] WriteFile (in: hFile=0x188, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.954] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f560d0 | out: hHeap=0x500000) returned 1 [0043.954] CloseHandle (hObject=0x188) returned 1 [0044.342] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0044.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.343] lstrlenW (lpString=".doc") returned 4 [0044.343] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.343] lstrlenW (lpString=".docx") returned 5 [0044.343] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.343] lstrlenW (lpString=".pdf") returned 4 [0044.343] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.343] lstrlenW (lpString=".xls") returned 4 [0044.343] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.343] lstrlenW (lpString=".xlsx") returned 5 [0044.343] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.343] lstrlenW (lpString=".ppt") returned 4 [0044.343] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.343] lstrlenW (lpString=".zip") returned 4 [0044.343] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.343] lstrlenW (lpString=".rar") returned 4 [0044.343] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.343] lstrlenW (lpString=".bz2") returned 4 [0044.343] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.343] lstrlenW (lpString=".7z") returned 3 [0044.343] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.343] lstrlenW (lpString=".dbf") returned 4 [0044.343] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.343] lstrlenW (lpString=".1cd") returned 4 [0044.343] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.344] lstrlenW (lpString=".jpg") returned 4 [0044.344] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.344] lstrlenW (lpString=".doc") returned 4 [0044.344] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.344] lstrlenW (lpString=".docx") returned 5 [0044.344] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.344] lstrlenW (lpString=".pdf") returned 4 [0044.344] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.344] lstrlenW (lpString=".xls") returned 4 [0044.344] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.344] lstrlenW (lpString=".xlsx") returned 5 [0044.344] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.344] lstrlenW (lpString=".ppt") returned 4 [0044.344] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.344] lstrlenW (lpString=".zip") returned 4 [0044.344] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.344] lstrlenW (lpString=".rar") returned 4 [0044.344] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.344] lstrlenW (lpString=".bz2") returned 4 [0044.344] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.344] lstrlenW (lpString=".7z") returned 3 [0044.344] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.344] lstrlenW (lpString=".dbf") returned 4 [0044.344] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.344] lstrlenW (lpString=".1cd") returned 4 [0044.344] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0044.344] lstrlenW (lpString=".jpg") returned 4 [0044.344] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.345] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0044.345] lstrlenW (lpString="Proof.msi") returned 9 [0044.345] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.364] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=875520) returned 1 [0044.364] CloseHandle (hObject=0x200) returned 1 [0044.364] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0x2020 [0044.365] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.365] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.365] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.365] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.365] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.366] GetLastError () returned 0x0 [0044.367] ReadFile (in: hFile=0x200, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0xd5c00, lpOverlapped=0x0) returned 1 [0044.456] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xd5c10, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xd5c10, lpOverlapped=0x0) returned 1 [0044.481] ReadFile (in: hFile=0x200, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.481] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0044.481] SetEndOfFile (hFile=0x1c4) returned 1 [0044.481] CloseHandle (hObject=0x1c4) returned 1 [0044.583] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.583] SetEndOfFile (hFile=0x200) returned 1 [0044.615] CloseHandle (hObject=0x200) returned 1 [0044.615] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0044.616] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 1 [0044.616] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.616] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.616] lstrlenW (lpString=".doc") returned 4 [0044.616] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.616] lstrlenW (lpString=".docx") returned 5 [0044.616] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0044.616] lstrlenW (lpString=".pdf") returned 4 [0044.616] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.616] lstrlenW (lpString=".xls") returned 4 [0044.616] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.616] lstrlenW (lpString=".xlsx") returned 5 [0044.616] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0044.616] lstrlenW (lpString=".ppt") returned 4 [0044.617] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.617] lstrlenW (lpString=".zip") returned 4 [0044.617] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.617] lstrlenW (lpString=".rar") returned 4 [0044.617] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.617] lstrlenW (lpString=".bz2") returned 4 [0044.617] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.617] lstrlenW (lpString=".7z") returned 3 [0044.617] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.617] lstrlenW (lpString=".dbf") returned 4 [0044.617] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.617] lstrlenW (lpString=".1cd") returned 4 [0044.617] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.617] lstrlenW (lpString=".jpg") returned 4 [0044.617] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.617] lstrlenW (lpString=".doc") returned 4 [0044.617] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.617] lstrlenW (lpString=".docx") returned 5 [0044.617] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0044.617] lstrlenW (lpString=".pdf") returned 4 [0044.617] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.618] lstrlenW (lpString=".xls") returned 4 [0044.618] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.618] lstrlenW (lpString=".xlsx") returned 5 [0044.618] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0044.618] lstrlenW (lpString=".ppt") returned 4 [0044.618] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.618] lstrlenW (lpString=".zip") returned 4 [0044.618] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.618] lstrlenW (lpString=".rar") returned 4 [0044.618] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.618] lstrlenW (lpString=".bz2") returned 4 [0044.618] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.618] lstrlenW (lpString=".7z") returned 3 [0044.618] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.618] lstrlenW (lpString=".dbf") returned 4 [0044.618] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.618] lstrlenW (lpString=".1cd") returned 4 [0044.618] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0044.618] lstrlenW (lpString=".jpg") returned 4 [0044.618] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.618] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0044.619] lstrlenW (lpString="Proof.msi") returned 9 [0044.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.619] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=881152) returned 1 [0044.619] CloseHandle (hObject=0x200) returned 1 [0044.619] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0x2020 [0044.619] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.619] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.619] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.620] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.620] GetLastError () returned 0x0 [0044.620] ReadFile (in: hFile=0x200, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0xd7200, lpOverlapped=0x0) returned 1 [0044.645] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xd7210, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xd7210, lpOverlapped=0x0) returned 1 [0044.665] ReadFile (in: hFile=0x200, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.665] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0044.665] SetEndOfFile (hFile=0x1c4) returned 1 [0044.665] CloseHandle (hObject=0x1c4) returned 1 [0044.888] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.888] SetEndOfFile (hFile=0x200) returned 1 [0044.898] CloseHandle (hObject=0x200) returned 1 [0044.898] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0044.898] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 1 [0044.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.898] lstrlenW (lpString=".doc") returned 4 [0044.898] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.898] lstrlenW (lpString=".docx") returned 5 [0044.898] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0044.898] lstrlenW (lpString=".pdf") returned 4 [0044.898] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.898] lstrlenW (lpString=".xls") returned 4 [0044.898] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.898] lstrlenW (lpString=".xlsx") returned 5 [0044.898] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0044.898] lstrlenW (lpString=".ppt") returned 4 [0044.898] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.899] lstrlenW (lpString=".zip") returned 4 [0044.899] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.899] lstrlenW (lpString=".rar") returned 4 [0044.899] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.899] lstrlenW (lpString=".bz2") returned 4 [0044.899] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.899] lstrlenW (lpString=".7z") returned 3 [0044.899] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.899] lstrlenW (lpString=".dbf") returned 4 [0044.899] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.899] lstrlenW (lpString=".1cd") returned 4 [0044.899] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.899] lstrlenW (lpString=".jpg") returned 4 [0044.899] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.899] lstrlenW (lpString=".doc") returned 4 [0044.899] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.899] lstrlenW (lpString=".docx") returned 5 [0044.899] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0044.899] lstrlenW (lpString=".pdf") returned 4 [0044.899] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.899] lstrlenW (lpString=".xls") returned 4 [0044.899] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.899] lstrlenW (lpString=".xlsx") returned 5 [0044.899] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0044.899] lstrlenW (lpString=".ppt") returned 4 [0044.899] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.899] lstrlenW (lpString=".zip") returned 4 [0044.899] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.899] lstrlenW (lpString=".rar") returned 4 [0044.899] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.900] lstrlenW (lpString=".bz2") returned 4 [0044.900] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.900] lstrlenW (lpString=".7z") returned 3 [0044.900] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.900] lstrlenW (lpString=".dbf") returned 4 [0044.900] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.900] lstrlenW (lpString=".1cd") returned 4 [0044.900] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0044.900] lstrlenW (lpString=".jpg") returned 4 [0044.900] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.900] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0044.900] lstrlenW (lpString="Proof.cab") returned 9 [0044.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.900] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=21064532) returned 1 [0044.900] CloseHandle (hObject=0x200) returned 1 [0044.900] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0x2020 [0044.901] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.901] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0045.653] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.653] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0045.653] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.653] ReadFile (in: hFile=0x200, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.658] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.658] ReadFile (in: hFile=0x200, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.664] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.664] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.665] ReadFile (in: hFile=0x200, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.687] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.687] WriteFile (in: hFile=0x200, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0045.923] SetEndOfFile (hFile=0x200) returned 1 [0045.923] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fa60e0 [0045.928] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.928] WriteFile (in: hFile=0x200, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.929] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.930] WriteFile (in: hFile=0x200, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.931] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.931] WriteFile (in: hFile=0x200, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.935] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60e0 | out: hHeap=0x500000) returned 1 [0045.935] CloseHandle (hObject=0x200) returned 1 [0047.980] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0047.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.980] lstrlenW (lpString=".doc") returned 4 [0047.980] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.980] lstrlenW (lpString=".docx") returned 5 [0047.980] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0047.980] lstrlenW (lpString=".pdf") returned 4 [0047.980] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.980] lstrlenW (lpString=".xls") returned 4 [0047.980] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.980] lstrlenW (lpString=".xlsx") returned 5 [0047.980] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0047.980] lstrlenW (lpString=".ppt") returned 4 [0047.980] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.980] lstrlenW (lpString=".zip") returned 4 [0047.980] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.980] lstrlenW (lpString=".rar") returned 4 [0047.980] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.980] lstrlenW (lpString=".bz2") returned 4 [0047.980] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.980] lstrlenW (lpString=".7z") returned 3 [0047.980] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.980] lstrlenW (lpString=".dbf") returned 4 [0047.980] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.981] lstrlenW (lpString=".1cd") returned 4 [0047.981] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.981] lstrlenW (lpString=".jpg") returned 4 [0047.981] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.981] lstrlenW (lpString=".doc") returned 4 [0047.981] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString=".docx") returned 5 [0047.981] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0047.981] lstrlenW (lpString=".pdf") returned 4 [0047.981] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString=".xls") returned 4 [0047.981] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString=".xlsx") returned 5 [0047.981] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0047.981] lstrlenW (lpString=".ppt") returned 4 [0047.981] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.981] lstrlenW (lpString=".zip") returned 4 [0047.981] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString=".rar") returned 4 [0047.981] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString=".bz2") returned 4 [0047.981] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.981] lstrlenW (lpString=".7z") returned 3 [0047.981] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.981] lstrlenW (lpString=".dbf") returned 4 [0047.981] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.981] lstrlenW (lpString=".1cd") returned 4 [0047.981] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0047.982] lstrlenW (lpString=".jpg") returned 4 [0047.982] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.982] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0047.982] lstrlenW (lpString="VisioMUI.msi") returned 12 [0047.982] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.982] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=2797568) returned 1 [0047.982] CloseHandle (hObject=0x200) returned 1 [0047.982] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi")) returned 0x2020 [0047.982] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.982] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0047.983] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.983] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0047.983] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.983] ReadFile (in: hFile=0x200, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.986] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.986] ReadFile (in: hFile=0x200, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.997] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.997] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.997] ReadFile (in: hFile=0x200, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.014] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.014] WriteFile (in: hFile=0x200, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.871] SetEndOfFile (hFile=0x200) returned 1 [0048.871] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f960e8 [0048.875] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.875] WriteFile (in: hFile=0x200, lpBuffer=0x3f960e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960e8*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.877] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.877] WriteFile (in: hFile=0x200, lpBuffer=0x3f960e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960e8*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.883] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.883] WriteFile (in: hFile=0x200, lpBuffer=0x3f960e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960e8*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.885] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f960e8 | out: hHeap=0x500000) returned 1 [0048.885] CloseHandle (hObject=0x200) returned 1 [0048.886] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0048.886] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.886] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.886] lstrlenW (lpString=".doc") returned 4 [0048.886] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.886] lstrlenW (lpString=".docx") returned 5 [0048.886] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0048.886] lstrlenW (lpString=".pdf") returned 4 [0048.886] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.886] lstrlenW (lpString=".xls") returned 4 [0048.886] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.886] lstrlenW (lpString=".xlsx") returned 5 [0048.886] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0048.886] lstrlenW (lpString=".ppt") returned 4 [0048.886] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.886] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.886] lstrlenW (lpString=".zip") returned 4 [0048.886] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.886] lstrlenW (lpString=".rar") returned 4 [0048.886] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.886] lstrlenW (lpString=".bz2") returned 4 [0048.886] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.886] lstrlenW (lpString=".7z") returned 3 [0048.886] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.886] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.886] lstrlenW (lpString=".dbf") returned 4 [0048.886] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.886] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.887] lstrlenW (lpString=".1cd") returned 4 [0048.887] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.887] lstrlenW (lpString=".jpg") returned 4 [0048.887] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.887] lstrlenW (lpString=".doc") returned 4 [0048.887] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.887] lstrlenW (lpString=".docx") returned 5 [0048.887] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0048.887] lstrlenW (lpString=".pdf") returned 4 [0048.887] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.887] lstrlenW (lpString=".xls") returned 4 [0048.887] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.887] lstrlenW (lpString=".xlsx") returned 5 [0048.887] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0048.887] lstrlenW (lpString=".ppt") returned 4 [0048.887] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.887] lstrlenW (lpString=".zip") returned 4 [0048.887] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.887] lstrlenW (lpString=".rar") returned 4 [0048.887] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.887] lstrlenW (lpString=".bz2") returned 4 [0048.887] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.887] lstrlenW (lpString=".7z") returned 3 [0048.887] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.887] lstrlenW (lpString=".dbf") returned 4 [0048.887] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.887] lstrlenW (lpString=".1cd") returned 4 [0048.887] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0048.887] lstrlenW (lpString=".jpg") returned 4 [0048.888] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.888] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0048.888] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0048.888] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0048.910] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=2511872) returned 1 [0048.910] CloseHandle (hObject=0x204) returned 1 [0048.910] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi")) returned 0x2020 [0048.911] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0048.911] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0048.911] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0048.911] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0048.911] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.911] ReadFile (in: hFile=0x204, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.013] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0049.013] ReadFile (in: hFile=0x204, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.297] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.297] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0049.297] ReadFile (in: hFile=0x204, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.315] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.315] WriteFile (in: hFile=0x204, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0049.332] SetEndOfFile (hFile=0x204) returned 1 [0049.333] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f660d0 [0049.650] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.650] WriteFile (in: hFile=0x204, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.652] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.652] WriteFile (in: hFile=0x204, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.658] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.658] WriteFile (in: hFile=0x204, lpBuffer=0x3f660d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f660d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.664] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f660d0 | out: hHeap=0x500000) returned 1 [0049.712] CloseHandle (hObject=0x204) returned 1 [0049.716] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0049.721] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.721] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.721] lstrlenW (lpString=".doc") returned 4 [0049.721] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0049.724] lstrlenW (lpString=".docx") returned 5 [0049.724] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0049.724] lstrlenW (lpString=".pdf") returned 4 [0049.724] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0049.724] lstrlenW (lpString=".xls") returned 4 [0049.724] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0049.724] lstrlenW (lpString=".xlsx") returned 5 [0049.724] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0049.724] lstrlenW (lpString=".ppt") returned 4 [0049.724] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0049.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.726] lstrlenW (lpString=".zip") returned 4 [0049.727] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0049.727] lstrlenW (lpString=".rar") returned 4 [0049.727] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0049.727] lstrlenW (lpString=".bz2") returned 4 [0049.727] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0049.728] lstrlenW (lpString=".7z") returned 3 [0049.728] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0049.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.728] lstrlenW (lpString=".dbf") returned 4 [0049.728] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0049.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.737] lstrlenW (lpString=".1cd") returned 4 [0049.737] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0049.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.737] lstrlenW (lpString=".jpg") returned 4 [0049.737] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0049.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.737] lstrlenW (lpString=".doc") returned 4 [0049.737] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0049.737] lstrlenW (lpString=".docx") returned 5 [0049.737] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0049.737] lstrlenW (lpString=".pdf") returned 4 [0049.737] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0049.737] lstrlenW (lpString=".xls") returned 4 [0049.737] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0049.737] lstrlenW (lpString=".xlsx") returned 5 [0049.737] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0049.737] lstrlenW (lpString=".ppt") returned 4 [0049.737] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0049.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.738] lstrlenW (lpString=".zip") returned 4 [0049.738] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0049.738] lstrlenW (lpString=".rar") returned 4 [0049.738] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0049.738] lstrlenW (lpString=".bz2") returned 4 [0049.738] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0049.738] lstrlenW (lpString=".7z") returned 3 [0049.738] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0049.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.738] lstrlenW (lpString=".dbf") returned 4 [0049.738] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0049.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.738] lstrlenW (lpString=".1cd") returned 4 [0049.738] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0049.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0049.738] lstrlenW (lpString=".jpg") returned 4 [0049.738] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0049.738] lstrcmpiW (lpString1=".manifest", lpString2=".NcOv") returned -1 [0049.738] lstrlenW (lpString="Microsoft.VC90.CRT.manifest") returned 27 [0049.738] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0049.738] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=1857) returned 1 [0049.739] CloseHandle (hObject=0x1a0) returned 1 [0049.739] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0x2020 [0049.739] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.739] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0049.739] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.739] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.739] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.066] GetLastError () returned 0x0 [0051.066] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x741, lpOverlapped=0x0) returned 1 [0051.068] WriteFile (in: hFile=0x1f8, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x750, lpOverlapped=0x0) returned 1 [0051.069] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.069] WriteFile (in: hFile=0x1f8, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x10a, lpOverlapped=0x0) returned 1 [0051.069] SetEndOfFile (hFile=0x1f8) returned 1 [0051.069] CloseHandle (hObject=0x1f8) returned 1 [0051.070] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.070] SetEndOfFile (hFile=0x1a0) returned 1 [0051.071] CloseHandle (hObject=0x1a0) returned 1 [0051.071] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0051.071] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0051.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.071] lstrlenW (lpString=".doc") returned 4 [0051.071] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0051.071] lstrlenW (lpString=".docx") returned 5 [0051.071] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0051.071] lstrlenW (lpString=".pdf") returned 4 [0051.071] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0051.071] lstrlenW (lpString=".xls") returned 4 [0051.071] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString=".xlsx") returned 5 [0051.072] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0051.072] lstrlenW (lpString=".ppt") returned 4 [0051.072] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.072] lstrlenW (lpString=".zip") returned 4 [0051.072] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString=".rar") returned 4 [0051.072] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString=".bz2") returned 4 [0051.072] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString=".7z") returned 3 [0051.072] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0051.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.072] lstrlenW (lpString=".dbf") returned 4 [0051.072] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.072] lstrlenW (lpString=".1cd") returned 4 [0051.072] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.072] lstrlenW (lpString=".jpg") returned 4 [0051.072] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.072] lstrlenW (lpString=".doc") returned 4 [0051.072] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0051.072] lstrlenW (lpString=".docx") returned 5 [0051.072] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0051.073] lstrlenW (lpString=".pdf") returned 4 [0051.073] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0051.073] lstrlenW (lpString=".xls") returned 4 [0051.073] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0051.073] lstrlenW (lpString=".xlsx") returned 5 [0051.073] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0051.073] lstrlenW (lpString=".ppt") returned 4 [0051.073] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0051.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.073] lstrlenW (lpString=".zip") returned 4 [0051.073] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0051.073] lstrlenW (lpString=".rar") returned 4 [0051.073] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0051.073] lstrlenW (lpString=".bz2") returned 4 [0051.073] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0051.073] lstrlenW (lpString=".7z") returned 3 [0051.073] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0051.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.073] lstrlenW (lpString=".dbf") returned 4 [0051.073] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0051.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.073] lstrlenW (lpString=".1cd") returned 4 [0051.073] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0051.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0051.073] lstrlenW (lpString=".jpg") returned 4 [0051.073] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0051.074] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0051.074] lstrlenW (lpString="OfficeMUI.msi") returned 13 [0051.074] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0051.074] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=3702272) returned 1 [0051.074] CloseHandle (hObject=0x1a0) returned 1 [0051.074] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi")) returned 0x2020 [0051.074] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.074] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0051.075] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0051.075] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0051.075] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.075] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.080] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.080] ReadFile (in: hFile=0x1a0, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.099] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.099] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.099] ReadFile (in: hFile=0x1a0, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.115] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.116] WriteFile (in: hFile=0x1a0, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0051.319] SetEndOfFile (hFile=0x1a0) returned 1 [0051.319] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f960d8 [0051.323] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.323] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f960d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960d8*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.325] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.325] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f960d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960d8*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.331] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.331] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f960d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960d8*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.334] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f960d8 | out: hHeap=0x500000) returned 1 [0051.334] CloseHandle (hObject=0x1a0) returned 1 [0051.334] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0051.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.335] lstrlenW (lpString=".doc") returned 4 [0051.335] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.335] lstrlenW (lpString=".docx") returned 5 [0051.335] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0051.335] lstrlenW (lpString=".pdf") returned 4 [0051.335] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.335] lstrlenW (lpString=".xls") returned 4 [0051.335] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.335] lstrlenW (lpString=".xlsx") returned 5 [0051.335] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0051.335] lstrlenW (lpString=".ppt") returned 4 [0051.335] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.335] lstrlenW (lpString=".zip") returned 4 [0051.335] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.335] lstrlenW (lpString=".rar") returned 4 [0051.335] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.335] lstrlenW (lpString=".bz2") returned 4 [0051.335] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.335] lstrlenW (lpString=".7z") returned 3 [0051.335] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.335] lstrlenW (lpString=".dbf") returned 4 [0051.335] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.336] lstrlenW (lpString=".1cd") returned 4 [0051.336] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.336] lstrlenW (lpString=".jpg") returned 4 [0051.336] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.336] lstrlenW (lpString=".doc") returned 4 [0051.336] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.336] lstrlenW (lpString=".docx") returned 5 [0051.336] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0051.336] lstrlenW (lpString=".pdf") returned 4 [0051.336] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.336] lstrlenW (lpString=".xls") returned 4 [0051.336] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.336] lstrlenW (lpString=".xlsx") returned 5 [0051.336] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0051.336] lstrlenW (lpString=".ppt") returned 4 [0051.336] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.336] lstrlenW (lpString=".zip") returned 4 [0051.336] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.336] lstrlenW (lpString=".rar") returned 4 [0051.336] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.336] lstrlenW (lpString=".bz2") returned 4 [0051.336] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.337] lstrlenW (lpString=".7z") returned 3 [0051.337] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.337] lstrlenW (lpString=".dbf") returned 4 [0051.337] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.337] lstrlenW (lpString=".1cd") returned 4 [0051.337] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0051.337] lstrlenW (lpString=".jpg") returned 4 [0051.337] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.337] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0051.337] lstrlenW (lpString="osetupui.dll") returned 12 [0051.337] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0051.338] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=191872) returned 1 [0051.338] CloseHandle (hObject=0x1a0) returned 1 [0051.338] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 0x2020 [0051.338] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.338] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0051.338] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.338] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.339] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.339] GetLastError () returned 0x0 [0051.339] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x2ed80, lpOverlapped=0x0) returned 1 [0051.520] WriteFile (in: hFile=0x204, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x2ed90, lpOverlapped=0x0) returned 1 [0051.525] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.525] WriteFile (in: hFile=0x204, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.525] SetEndOfFile (hFile=0x204) returned 1 [0051.525] CloseHandle (hObject=0x204) returned 1 [0051.525] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.525] SetEndOfFile (hFile=0x1a0) returned 1 [0051.528] CloseHandle (hObject=0x1a0) returned 1 [0051.528] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0051.529] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 1 [0051.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.529] lstrlenW (lpString=".doc") returned 4 [0051.529] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.529] lstrlenW (lpString=".docx") returned 5 [0051.529] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0051.529] lstrlenW (lpString=".pdf") returned 4 [0051.529] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.529] lstrlenW (lpString=".xls") returned 4 [0051.529] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.529] lstrlenW (lpString=".xlsx") returned 5 [0051.529] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0051.529] lstrlenW (lpString=".ppt") returned 4 [0051.529] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.529] lstrlenW (lpString=".zip") returned 4 [0051.529] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.529] lstrlenW (lpString=".rar") returned 4 [0051.529] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.530] lstrlenW (lpString=".bz2") returned 4 [0051.530] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.530] lstrlenW (lpString=".7z") returned 3 [0051.530] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.530] lstrlenW (lpString=".dbf") returned 4 [0051.530] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.530] lstrlenW (lpString=".1cd") returned 4 [0051.530] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.530] lstrlenW (lpString=".jpg") returned 4 [0051.530] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.530] lstrlenW (lpString=".doc") returned 4 [0051.530] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.530] lstrlenW (lpString=".docx") returned 5 [0051.530] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0051.530] lstrlenW (lpString=".pdf") returned 4 [0051.530] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.530] lstrlenW (lpString=".xls") returned 4 [0051.530] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.530] lstrlenW (lpString=".xlsx") returned 5 [0051.530] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0051.530] lstrlenW (lpString=".ppt") returned 4 [0051.530] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.530] lstrlenW (lpString=".zip") returned 4 [0051.531] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.531] lstrlenW (lpString=".rar") returned 4 [0051.531] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.531] lstrlenW (lpString=".bz2") returned 4 [0051.531] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.531] lstrlenW (lpString=".7z") returned 3 [0051.531] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.531] lstrlenW (lpString=".dbf") returned 4 [0051.531] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.531] lstrlenW (lpString=".1cd") returned 4 [0051.531] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0051.531] lstrlenW (lpString=".jpg") returned 4 [0051.531] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.531] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0051.531] lstrlenW (lpString="Office32WW.msi") returned 14 [0051.531] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0051.532] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=1992192) returned 1 [0051.532] CloseHandle (hObject=0x1a0) returned 1 [0051.532] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0051.532] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.532] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0051.533] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0051.533] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0051.533] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.533] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.541] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.543] ReadFile (in: hFile=0x1a0, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.562] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.562] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.562] ReadFile (in: hFile=0x1a0, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.848] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.848] WriteFile (in: hFile=0x1a0, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0051.883] SetEndOfFile (hFile=0x1a0) returned 1 [0051.883] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0051.887] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.887] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.889] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.889] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.891] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.891] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.053] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0052.170] CloseHandle (hObject=0x1a0) returned 1 [0052.171] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.171] lstrlenW (lpString=".doc") returned 4 [0052.171] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.171] lstrlenW (lpString=".docx") returned 5 [0052.171] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.171] lstrlenW (lpString=".pdf") returned 4 [0052.171] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.171] lstrlenW (lpString=".xls") returned 4 [0052.171] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.171] lstrlenW (lpString=".xlsx") returned 5 [0052.171] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.171] lstrlenW (lpString=".ppt") returned 4 [0052.171] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.171] lstrlenW (lpString=".zip") returned 4 [0052.171] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.172] lstrlenW (lpString=".rar") returned 4 [0052.172] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.172] lstrlenW (lpString=".bz2") returned 4 [0052.172] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.172] lstrlenW (lpString=".7z") returned 3 [0052.172] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.172] lstrlenW (lpString=".dbf") returned 4 [0052.172] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.172] lstrlenW (lpString=".1cd") returned 4 [0052.172] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.172] lstrlenW (lpString=".jpg") returned 4 [0052.172] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.172] lstrlenW (lpString=".doc") returned 4 [0052.172] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.172] lstrlenW (lpString=".docx") returned 5 [0052.172] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.172] lstrlenW (lpString=".pdf") returned 4 [0052.172] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.172] lstrlenW (lpString=".xls") returned 4 [0052.172] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.172] lstrlenW (lpString=".xlsx") returned 5 [0052.172] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.172] lstrlenW (lpString=".ppt") returned 4 [0052.172] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.172] lstrlenW (lpString=".zip") returned 4 [0052.172] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.172] lstrlenW (lpString=".rar") returned 4 [0052.172] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.173] lstrlenW (lpString=".bz2") returned 4 [0052.173] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.173] lstrlenW (lpString=".7z") returned 3 [0052.173] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.173] lstrlenW (lpString=".dbf") returned 4 [0052.173] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.173] lstrlenW (lpString=".1cd") returned 4 [0052.173] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.173] lstrlenW (lpString=".jpg") returned 4 [0052.173] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.173] lstrcmpiW (lpString1=".xrm-ms", lpString2=".NcOv") returned 1 [0052.173] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0052.173] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.174] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=715834) returned 1 [0052.174] CloseHandle (hObject=0x1a0) returned 1 [0052.174] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0052.174] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.174] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.174] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.174] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.174] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0052.174] GetLastError () returned 0x0 [0052.174] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0052.222] WriteFile (in: hFile=0x20c, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0052.389] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.389] WriteFile (in: hFile=0x20c, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x104, lpOverlapped=0x0) returned 1 [0052.389] SetEndOfFile (hFile=0x20c) returned 1 [0052.389] CloseHandle (hObject=0x20c) returned 1 [0052.389] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.389] SetEndOfFile (hFile=0x1a0) returned 1 [0052.396] CloseHandle (hObject=0x1a0) returned 1 [0052.396] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.396] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0052.396] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.396] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.396] lstrlenW (lpString=".doc") returned 4 [0052.396] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0052.396] lstrlenW (lpString=".docx") returned 5 [0052.396] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0052.396] lstrlenW (lpString=".pdf") returned 4 [0052.396] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0052.396] lstrlenW (lpString=".xls") returned 4 [0052.396] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0052.396] lstrlenW (lpString=".xlsx") returned 5 [0052.396] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0052.396] lstrlenW (lpString=".ppt") returned 4 [0052.396] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0052.396] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.397] lstrlenW (lpString=".zip") returned 4 [0052.397] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString=".rar") returned 4 [0052.397] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString=".bz2") returned 4 [0052.397] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString=".7z") returned 3 [0052.397] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0052.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.397] lstrlenW (lpString=".dbf") returned 4 [0052.397] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.397] lstrlenW (lpString=".1cd") returned 4 [0052.397] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.397] lstrlenW (lpString=".jpg") returned 4 [0052.397] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.397] lstrlenW (lpString=".doc") returned 4 [0052.397] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString=".docx") returned 5 [0052.397] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0052.397] lstrlenW (lpString=".pdf") returned 4 [0052.397] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString=".xls") returned 4 [0052.397] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString=".xlsx") returned 5 [0052.397] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0052.397] lstrlenW (lpString=".ppt") returned 4 [0052.397] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.397] lstrlenW (lpString=".zip") returned 4 [0052.397] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0052.397] lstrlenW (lpString=".rar") returned 4 [0052.397] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0052.398] lstrlenW (lpString=".bz2") returned 4 [0052.398] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0052.398] lstrlenW (lpString=".7z") returned 3 [0052.398] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0052.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.398] lstrlenW (lpString=".dbf") returned 4 [0052.398] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0052.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.398] lstrlenW (lpString=".1cd") returned 4 [0052.398] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0052.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.398] lstrlenW (lpString=".jpg") returned 4 [0052.398] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0052.398] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0052.398] lstrlenW (lpString="ProPlusrWW.msi") returned 14 [0052.398] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.398] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=27532288) returned 1 [0052.398] CloseHandle (hObject=0x1a0) returned 1 [0052.398] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi")) returned 0x2020 [0052.399] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.399] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0052.399] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.399] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0052.399] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0052.399] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.403] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0052.403] ReadFile (in: hFile=0x1a0, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.409] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.409] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0052.409] ReadFile (in: hFile=0x1a0, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.620] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.620] WriteFile (in: hFile=0x1a0, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0052.723] SetEndOfFile (hFile=0x1a0) returned 1 [0052.723] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0052.727] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.727] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.728] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.728] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.732] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.732] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.734] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0052.734] CloseHandle (hObject=0x1a0) returned 1 [0052.734] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.734] lstrlenW (lpString=".doc") returned 4 [0052.734] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.734] lstrlenW (lpString=".docx") returned 5 [0052.734] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.734] lstrlenW (lpString=".pdf") returned 4 [0052.734] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.734] lstrlenW (lpString=".xls") returned 4 [0052.734] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.734] lstrlenW (lpString=".xlsx") returned 5 [0052.734] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.798] lstrlenW (lpString=".ppt") returned 4 [0052.798] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.798] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.798] lstrlenW (lpString=".zip") returned 4 [0052.798] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.798] lstrlenW (lpString=".rar") returned 4 [0052.799] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.799] lstrlenW (lpString=".bz2") returned 4 [0052.799] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.799] lstrlenW (lpString=".7z") returned 3 [0052.799] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.799] lstrlenW (lpString=".dbf") returned 4 [0052.799] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.799] lstrlenW (lpString=".1cd") returned 4 [0052.799] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.799] lstrlenW (lpString=".jpg") returned 4 [0052.799] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.799] lstrlenW (lpString=".doc") returned 4 [0052.799] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.799] lstrlenW (lpString=".docx") returned 5 [0052.799] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.799] lstrlenW (lpString=".pdf") returned 4 [0052.799] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.799] lstrlenW (lpString=".xls") returned 4 [0052.799] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.799] lstrlenW (lpString=".xlsx") returned 5 [0052.799] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.799] lstrlenW (lpString=".ppt") returned 4 [0052.799] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.799] lstrlenW (lpString=".zip") returned 4 [0052.799] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.799] lstrlenW (lpString=".rar") returned 4 [0052.799] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.799] lstrlenW (lpString=".bz2") returned 4 [0052.799] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.799] lstrlenW (lpString=".7z") returned 3 [0052.800] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.800] lstrlenW (lpString=".dbf") returned 4 [0052.800] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.800] lstrlenW (lpString=".1cd") returned 4 [0052.800] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0052.800] lstrlenW (lpString=".jpg") returned 4 [0052.800] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.800] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0052.800] lstrlenW (lpString="Office32WW.msi") returned 14 [0052.800] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0053.024] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=1992192) returned 1 [0053.024] CloseHandle (hObject=0x214) returned 1 [0053.026] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0053.026] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.026] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0053.032] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0053.032] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0053.032] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.033] ReadFile (in: hFile=0x214, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.107] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.107] ReadFile (in: hFile=0x214, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.118] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.118] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.118] ReadFile (in: hFile=0x214, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.136] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.136] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0053.489] SetEndOfFile (hFile=0x214) returned 1 [0053.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0053.583] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0053.583] WriteFile (in: hFile=0x214, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.585] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0053.585] WriteFile (in: hFile=0x214, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.587] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0053.587] WriteFile (in: hFile=0x214, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.590] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0053.590] CloseHandle (hObject=0x214) returned 1 [0053.591] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0053.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.591] lstrlenW (lpString=".doc") returned 4 [0053.591] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0053.591] lstrlenW (lpString=".docx") returned 5 [0053.591] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0053.591] lstrlenW (lpString=".pdf") returned 4 [0053.591] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0053.591] lstrlenW (lpString=".xls") returned 4 [0053.591] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0053.591] lstrlenW (lpString=".xlsx") returned 5 [0053.591] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0053.591] lstrlenW (lpString=".ppt") returned 4 [0053.592] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0053.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.592] lstrlenW (lpString=".zip") returned 4 [0053.592] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0053.592] lstrlenW (lpString=".rar") returned 4 [0053.592] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0053.592] lstrlenW (lpString=".bz2") returned 4 [0053.592] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0053.592] lstrlenW (lpString=".7z") returned 3 [0053.592] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0053.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.592] lstrlenW (lpString=".dbf") returned 4 [0053.592] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0053.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.592] lstrlenW (lpString=".1cd") returned 4 [0053.592] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0053.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.592] lstrlenW (lpString=".jpg") returned 4 [0053.592] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0053.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.592] lstrlenW (lpString=".doc") returned 4 [0053.592] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0053.592] lstrlenW (lpString=".docx") returned 5 [0053.592] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0053.592] lstrlenW (lpString=".pdf") returned 4 [0053.593] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0053.593] lstrlenW (lpString=".xls") returned 4 [0053.593] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0053.593] lstrlenW (lpString=".xlsx") returned 5 [0053.593] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0053.593] lstrlenW (lpString=".ppt") returned 4 [0053.593] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0053.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.593] lstrlenW (lpString=".zip") returned 4 [0053.593] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0053.593] lstrlenW (lpString=".rar") returned 4 [0053.593] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0053.593] lstrlenW (lpString=".bz2") returned 4 [0053.593] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0053.593] lstrlenW (lpString=".7z") returned 3 [0053.593] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0053.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.593] lstrlenW (lpString=".dbf") returned 4 [0053.593] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0053.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.593] lstrlenW (lpString=".1cd") returned 4 [0053.593] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0053.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0053.594] lstrlenW (lpString=".jpg") returned 4 [0053.594] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0053.594] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0053.594] lstrlenW (lpString="PrjProrWW.msi") returned 13 [0053.594] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.624] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=10798080) returned 1 [0053.624] CloseHandle (hObject=0x204) returned 1 [0053.624] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi")) returned 0x2020 [0053.624] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.625] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0053.625] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.625] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0x0) returned 1 [0053.625] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.625] ReadFile (in: hFile=0x204, lpBuffer=0x3c90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c90058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.648] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.649] ReadFile (in: hFile=0x204, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.656] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34cfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.656] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.656] ReadFile (in: hFile=0x204, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34cfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x34cfc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.536] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.536] WriteFile (in: hFile=0x204, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x34cfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0054.927] SetEndOfFile (hFile=0x204) returned 1 [0054.927] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0054.927] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.928] WriteFile (in: hFile=0x204, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.988] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.988] WriteFile (in: hFile=0x204, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.990] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x34cfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.990] WriteFile (in: hFile=0x204, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34cfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x34cfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.996] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0054.997] CloseHandle (hObject=0x204) returned 1 [0054.997] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0054.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.998] lstrlenW (lpString=".doc") returned 4 [0054.998] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0054.998] lstrlenW (lpString=".docx") returned 5 [0054.998] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0054.998] lstrlenW (lpString=".pdf") returned 4 [0054.998] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0054.998] lstrlenW (lpString=".xls") returned 4 [0054.998] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0054.998] lstrlenW (lpString=".xlsx") returned 5 [0054.998] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0054.998] lstrlenW (lpString=".ppt") returned 4 [0054.998] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0054.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.998] lstrlenW (lpString=".zip") returned 4 [0054.998] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0054.998] lstrlenW (lpString=".rar") returned 4 [0054.998] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0054.998] lstrlenW (lpString=".bz2") returned 4 [0054.998] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0054.998] lstrlenW (lpString=".7z") returned 3 [0054.998] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0054.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.998] lstrlenW (lpString=".dbf") returned 4 [0054.998] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0054.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.999] lstrlenW (lpString=".1cd") returned 4 [0054.999] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0054.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.999] lstrlenW (lpString=".jpg") returned 4 [0054.999] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0054.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.999] lstrlenW (lpString=".doc") returned 4 [0054.999] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0054.999] lstrlenW (lpString=".docx") returned 5 [0054.999] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0054.999] lstrlenW (lpString=".pdf") returned 4 [0054.999] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0054.999] lstrlenW (lpString=".xls") returned 4 [0054.999] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0054.999] lstrlenW (lpString=".xlsx") returned 5 [0054.999] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0054.999] lstrlenW (lpString=".ppt") returned 4 [0054.999] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0054.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0054.999] lstrlenW (lpString=".zip") returned 4 [0054.999] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0054.999] lstrlenW (lpString=".rar") returned 4 [0054.999] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0054.999] lstrlenW (lpString=".bz2") returned 4 [0054.999] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0054.999] lstrlenW (lpString=".7z") returned 3 [0055.000] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0055.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0055.000] lstrlenW (lpString=".dbf") returned 4 [0055.000] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0055.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0055.000] lstrlenW (lpString=".1cd") returned 4 [0055.000] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0055.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0055.000] lstrlenW (lpString=".jpg") returned 4 [0055.000] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0055.000] lstrcmpiW (lpString1=".exe", lpString2=".NcOv") returned -1 [0055.000] lstrlenW (lpString="ose.exe") returned 7 [0055.000] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.108] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=174440) returned 1 [0055.108] CloseHandle (hObject=0x1f8) returned 1 [0055.108] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0055.108] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.108] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.108] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.108] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.108] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.109] GetLastError () returned 0x0 [0055.109] ReadFile (in: hFile=0x1f8, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x2a968, lpOverlapped=0x0) returned 1 [0055.125] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0055.129] ReadFile (in: hFile=0x1f8, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.129] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0055.129] SetEndOfFile (hFile=0x214) returned 1 [0055.129] CloseHandle (hObject=0x214) returned 1 [0055.129] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.129] SetEndOfFile (hFile=0x1f8) returned 1 [0055.131] CloseHandle (hObject=0x1f8) returned 1 [0055.131] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0055.131] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0055.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.132] lstrlenW (lpString=".doc") returned 4 [0055.132] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0055.132] lstrlenW (lpString=".docx") returned 5 [0055.132] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0055.132] lstrlenW (lpString=".pdf") returned 4 [0055.132] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0055.132] lstrlenW (lpString=".xls") returned 4 [0055.132] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0055.132] lstrlenW (lpString=".xlsx") returned 5 [0055.132] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0055.132] lstrlenW (lpString=".ppt") returned 4 [0055.132] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0055.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.132] lstrlenW (lpString=".zip") returned 4 [0055.132] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0055.132] lstrlenW (lpString=".rar") returned 4 [0055.132] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0055.132] lstrlenW (lpString=".bz2") returned 4 [0055.132] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0055.132] lstrlenW (lpString=".7z") returned 3 [0055.132] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0055.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.132] lstrlenW (lpString=".dbf") returned 4 [0055.132] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0055.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.132] lstrlenW (lpString=".1cd") returned 4 [0055.132] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0055.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.133] lstrlenW (lpString=".jpg") returned 4 [0055.133] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0055.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.133] lstrlenW (lpString=".doc") returned 4 [0055.133] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0055.133] lstrlenW (lpString=".docx") returned 5 [0055.133] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0055.133] lstrlenW (lpString=".pdf") returned 4 [0055.133] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0055.133] lstrlenW (lpString=".xls") returned 4 [0055.133] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0055.133] lstrlenW (lpString=".xlsx") returned 5 [0055.133] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0055.133] lstrlenW (lpString=".ppt") returned 4 [0055.133] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0055.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.133] lstrlenW (lpString=".zip") returned 4 [0055.133] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0055.133] lstrlenW (lpString=".rar") returned 4 [0055.133] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0055.133] lstrlenW (lpString=".bz2") returned 4 [0055.133] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0055.133] lstrlenW (lpString=".7z") returned 3 [0055.133] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0055.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.133] lstrlenW (lpString=".dbf") returned 4 [0055.133] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0055.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.133] lstrlenW (lpString=".1cd") returned 4 [0055.133] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0055.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0055.133] lstrlenW (lpString=".jpg") returned 4 [0055.133] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0055.134] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0055.134] lstrlenW (lpString="PidGenX.dll") returned 11 [0055.134] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.134] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=1463568) returned 1 [0055.134] CloseHandle (hObject=0x1f8) returned 1 [0055.134] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0055.134] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.134] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.134] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.134] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.135] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.135] GetLastError () returned 0x0 [0055.135] ReadFile (in: hFile=0x1f8, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0055.324] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0055.545] ReadFile (in: hFile=0x1f8, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x65520, lpOverlapped=0x0) returned 1 [0055.674] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x65530, lpOverlapped=0x0) returned 1 [0055.689] ReadFile (in: hFile=0x1f8, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.689] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xea, lpOverlapped=0x0) returned 1 [0055.689] SetEndOfFile (hFile=0x214) returned 1 [0055.690] CloseHandle (hObject=0x214) returned 1 [0055.690] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.690] SetEndOfFile (hFile=0x1f8) returned 1 [0055.694] CloseHandle (hObject=0x1f8) returned 1 [0055.695] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0055.695] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0055.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.695] lstrlenW (lpString=".doc") returned 4 [0055.695] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.695] lstrlenW (lpString=".docx") returned 5 [0055.695] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0055.695] lstrlenW (lpString=".pdf") returned 4 [0055.695] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.695] lstrlenW (lpString=".xls") returned 4 [0055.696] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.696] lstrlenW (lpString=".xlsx") returned 5 [0055.696] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0055.696] lstrlenW (lpString=".ppt") returned 4 [0055.696] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.696] lstrlenW (lpString=".zip") returned 4 [0055.696] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.696] lstrlenW (lpString=".rar") returned 4 [0055.696] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.696] lstrlenW (lpString=".bz2") returned 4 [0055.696] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.696] lstrlenW (lpString=".7z") returned 3 [0055.696] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.696] lstrlenW (lpString=".dbf") returned 4 [0055.696] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.696] lstrlenW (lpString=".1cd") returned 4 [0055.696] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.696] lstrlenW (lpString=".jpg") returned 4 [0055.696] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.696] lstrlenW (lpString=".doc") returned 4 [0055.696] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.696] lstrlenW (lpString=".docx") returned 5 [0055.696] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0055.696] lstrlenW (lpString=".pdf") returned 4 [0055.696] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.696] lstrlenW (lpString=".xls") returned 4 [0055.696] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.697] lstrlenW (lpString=".xlsx") returned 5 [0055.697] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0055.697] lstrlenW (lpString=".ppt") returned 4 [0055.697] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.697] lstrlenW (lpString=".zip") returned 4 [0055.697] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.697] lstrlenW (lpString=".rar") returned 4 [0055.697] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.697] lstrlenW (lpString=".bz2") returned 4 [0055.697] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.697] lstrlenW (lpString=".7z") returned 3 [0055.697] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.697] lstrlenW (lpString=".dbf") returned 4 [0055.697] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.697] lstrlenW (lpString=".1cd") returned 4 [0055.697] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0055.697] lstrlenW (lpString=".jpg") returned 4 [0055.697] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.697] lstrcmpiW (lpString1=".exe", lpString2=".NcOv") returned -1 [0055.697] lstrlenW (lpString="setup.exe") returned 9 [0055.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0056.049] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=1377656) returned 1 [0056.049] CloseHandle (hObject=0x218) returned 1 [0056.049] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0056.050] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0056.050] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0056.050] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.050] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.050] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0056.051] GetLastError () returned 0x0 [0056.051] ReadFile (in: hFile=0x218, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0056.202] WriteFile (in: hFile=0x194, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0056.460] ReadFile (in: hFile=0x218, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x50588, lpOverlapped=0x0) returned 1 [0056.478] WriteFile (in: hFile=0x194, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x50590, lpOverlapped=0x0) returned 1 [0056.641] ReadFile (in: hFile=0x218, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.641] WriteFile (in: hFile=0x194, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0056.641] SetEndOfFile (hFile=0x194) returned 1 [0056.641] CloseHandle (hObject=0x194) returned 1 [0056.642] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.642] SetEndOfFile (hFile=0x218) returned 1 [0056.646] CloseHandle (hObject=0x218) returned 1 [0056.646] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0056.647] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0056.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.647] lstrlenW (lpString=".doc") returned 4 [0056.647] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0056.647] lstrlenW (lpString=".docx") returned 5 [0056.647] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0056.647] lstrlenW (lpString=".pdf") returned 4 [0056.647] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0056.647] lstrlenW (lpString=".xls") returned 4 [0056.647] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0056.647] lstrlenW (lpString=".xlsx") returned 5 [0056.647] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0056.647] lstrlenW (lpString=".ppt") returned 4 [0056.647] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0056.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.648] lstrlenW (lpString=".zip") returned 4 [0056.648] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0056.648] lstrlenW (lpString=".rar") returned 4 [0056.648] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0056.648] lstrlenW (lpString=".bz2") returned 4 [0056.648] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0056.648] lstrlenW (lpString=".7z") returned 3 [0056.648] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0056.648] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.648] lstrlenW (lpString=".dbf") returned 4 [0056.648] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0056.648] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.648] lstrlenW (lpString=".1cd") returned 4 [0056.648] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0056.648] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.648] lstrlenW (lpString=".jpg") returned 4 [0056.648] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0056.648] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.648] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.648] lstrlenW (lpString=".doc") returned 4 [0056.648] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0056.648] lstrlenW (lpString=".docx") returned 5 [0056.648] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0056.648] lstrlenW (lpString=".pdf") returned 4 [0056.648] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0056.648] lstrlenW (lpString=".xls") returned 4 [0056.649] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0056.649] lstrlenW (lpString=".xlsx") returned 5 [0056.649] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0056.649] lstrlenW (lpString=".ppt") returned 4 [0056.649] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0056.649] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.649] lstrlenW (lpString=".zip") returned 4 [0056.649] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0056.649] lstrlenW (lpString=".rar") returned 4 [0056.649] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0056.649] lstrlenW (lpString=".bz2") returned 4 [0056.649] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0056.649] lstrlenW (lpString=".7z") returned 3 [0056.649] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0056.649] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.649] lstrlenW (lpString=".dbf") returned 4 [0056.649] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0056.649] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.649] lstrlenW (lpString=".1cd") returned 4 [0056.649] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0056.649] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0056.649] lstrlenW (lpString=".jpg") returned 4 [0056.649] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0056.649] lstrcmpiW (lpString1=".DLL", lpString2=".NcOv") returned -1 [0056.650] lstrlenW (lpString="DBGHELP.DLL") returned 11 [0056.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0057.816] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=1369952) returned 1 [0057.816] CloseHandle (hObject=0x1bc) returned 1 [0057.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 0x20 [0057.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0057.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0057.816] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.816] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.817] GetLastError () returned 0x0 [0057.817] ReadFile (in: hFile=0x1bc, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0057.848] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0057.951] ReadFile (in: hFile=0x1bc, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x4e770, lpOverlapped=0x0) returned 1 [0057.965] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x4e780, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x4e780, lpOverlapped=0x0) returned 1 [0057.980] ReadFile (in: hFile=0x1bc, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.980] WriteFile (in: hFile=0x214, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xea, lpOverlapped=0x0) returned 1 [0057.980] SetEndOfFile (hFile=0x214) returned 1 [0058.068] CloseHandle (hObject=0x214) returned 1 [0058.069] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.069] SetEndOfFile (hFile=0x1bc) returned 1 [0058.076] CloseHandle (hObject=0x1bc) returned 1 [0058.076] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0058.077] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 1 [0058.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.132] lstrlenW (lpString=".doc") returned 4 [0058.133] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".docx") returned 5 [0058.133] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0058.133] lstrlenW (lpString=".pdf") returned 4 [0058.133] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".xls") returned 4 [0058.133] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".xlsx") returned 5 [0058.133] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0058.133] lstrlenW (lpString=".ppt") returned 4 [0058.133] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.133] lstrlenW (lpString=".zip") returned 4 [0058.133] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".rar") returned 4 [0058.133] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".bz2") returned 4 [0058.133] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.133] lstrlenW (lpString=".7z") returned 3 [0058.133] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.133] lstrlenW (lpString=".dbf") returned 4 [0058.133] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.133] lstrlenW (lpString=".1cd") returned 4 [0058.133] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.133] lstrlenW (lpString=".jpg") returned 4 [0058.133] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.134] lstrlenW (lpString=".doc") returned 4 [0058.134] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.134] lstrlenW (lpString=".docx") returned 5 [0058.134] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0058.134] lstrlenW (lpString=".pdf") returned 4 [0058.134] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.134] lstrlenW (lpString=".xls") returned 4 [0058.134] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.134] lstrlenW (lpString=".xlsx") returned 5 [0058.134] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0058.134] lstrlenW (lpString=".ppt") returned 4 [0058.134] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.134] lstrlenW (lpString=".zip") returned 4 [0058.134] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.134] lstrlenW (lpString=".rar") returned 4 [0058.134] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.134] lstrlenW (lpString=".bz2") returned 4 [0058.134] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.134] lstrlenW (lpString=".7z") returned 3 [0058.134] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.134] lstrlenW (lpString=".dbf") returned 4 [0058.134] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.135] lstrlenW (lpString=".1cd") returned 4 [0058.135] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0058.135] lstrlenW (lpString=".jpg") returned 4 [0058.135] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.135] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0058.135] lstrlenW (lpString="msgfilt.dll") returned 11 [0058.135] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0058.137] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=38768) returned 1 [0058.137] CloseHandle (hObject=0x220) returned 1 [0058.137] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 0x20 [0058.137] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0058.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0058.137] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.137] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0060.677] GetLastError () returned 0x0 [0060.677] ReadFile (in: hFile=0x220, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x9770, lpOverlapped=0x0) returned 1 [0060.681] WriteFile (in: hFile=0x1fc, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x9780, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x9780, lpOverlapped=0x0) returned 1 [0060.683] ReadFile (in: hFile=0x220, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0060.683] WriteFile (in: hFile=0x1fc, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xea, lpOverlapped=0x0) returned 1 [0060.684] SetEndOfFile (hFile=0x1fc) returned 1 [0060.684] CloseHandle (hObject=0x1fc) returned 1 [0060.684] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.684] SetEndOfFile (hFile=0x220) returned 1 [0060.686] CloseHandle (hObject=0x220) returned 1 [0060.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0060.686] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 1 [0060.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.686] lstrlenW (lpString=".doc") returned 4 [0060.687] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0060.687] lstrlenW (lpString=".docx") returned 5 [0060.687] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0060.687] lstrlenW (lpString=".pdf") returned 4 [0060.687] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0060.687] lstrlenW (lpString=".xls") returned 4 [0060.687] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0060.687] lstrlenW (lpString=".xlsx") returned 5 [0060.687] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0060.687] lstrlenW (lpString=".ppt") returned 4 [0060.687] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0060.687] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.687] lstrlenW (lpString=".zip") returned 4 [0060.687] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0060.687] lstrlenW (lpString=".rar") returned 4 [0060.687] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0060.687] lstrlenW (lpString=".bz2") returned 4 [0060.687] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0060.687] lstrlenW (lpString=".7z") returned 3 [0060.687] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0060.687] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.687] lstrlenW (lpString=".dbf") returned 4 [0060.687] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0060.687] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.687] lstrlenW (lpString=".1cd") returned 4 [0060.687] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0060.687] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.687] lstrlenW (lpString=".jpg") returned 4 [0060.688] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0060.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.688] lstrlenW (lpString=".doc") returned 4 [0060.688] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0060.688] lstrlenW (lpString=".docx") returned 5 [0060.688] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0060.688] lstrlenW (lpString=".pdf") returned 4 [0060.688] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0060.688] lstrlenW (lpString=".xls") returned 4 [0060.688] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0060.688] lstrlenW (lpString=".xlsx") returned 5 [0060.688] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0060.688] lstrlenW (lpString=".ppt") returned 4 [0060.688] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0060.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.688] lstrlenW (lpString=".zip") returned 4 [0060.688] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0060.688] lstrlenW (lpString=".rar") returned 4 [0060.688] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0060.688] lstrlenW (lpString=".bz2") returned 4 [0060.688] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0060.688] lstrlenW (lpString=".7z") returned 3 [0060.688] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0060.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.688] lstrlenW (lpString=".dbf") returned 4 [0060.688] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0060.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.689] lstrlenW (lpString=".1cd") returned 4 [0060.689] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0060.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0060.689] lstrlenW (lpString=".jpg") returned 4 [0060.689] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0060.689] lstrcmpiW (lpString1=".CFG", lpString2=".NcOv") returned -1 [0060.689] lstrlenW (lpString="CGMIMP32.CFG") returned 12 [0060.689] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0060.690] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=6811) returned 1 [0060.690] CloseHandle (hObject=0x220) returned 1 [0060.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 0x20 [0060.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0060.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0060.690] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.690] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0060.691] GetLastError () returned 0x0 [0060.691] ReadFile (in: hFile=0x220, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x1a9b, lpOverlapped=0x0) returned 1 [0060.700] WriteFile (in: hFile=0x1fc, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x1aa0, lpOverlapped=0x0) returned 1 [0060.701] ReadFile (in: hFile=0x220, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0060.701] WriteFile (in: hFile=0x1fc, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.701] SetEndOfFile (hFile=0x1fc) returned 1 [0060.701] CloseHandle (hObject=0x1fc) returned 1 [0060.702] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.702] SetEndOfFile (hFile=0x220) returned 1 [0060.703] CloseHandle (hObject=0x220) returned 1 [0060.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0060.703] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 1 [0060.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.704] lstrlenW (lpString=".doc") returned 4 [0060.704] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0060.704] lstrlenW (lpString=".docx") returned 5 [0060.704] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0060.704] lstrlenW (lpString=".pdf") returned 4 [0060.704] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0060.704] lstrlenW (lpString=".xls") returned 4 [0060.704] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0060.704] lstrlenW (lpString=".xlsx") returned 5 [0060.704] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0060.704] lstrlenW (lpString=".ppt") returned 4 [0060.704] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0060.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.704] lstrlenW (lpString=".zip") returned 4 [0060.705] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0060.705] lstrlenW (lpString=".rar") returned 4 [0060.705] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0060.705] lstrlenW (lpString=".bz2") returned 4 [0060.705] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0060.705] lstrlenW (lpString=".7z") returned 3 [0060.705] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0060.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.705] lstrlenW (lpString=".dbf") returned 4 [0060.705] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0060.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.705] lstrlenW (lpString=".1cd") returned 4 [0060.705] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0060.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.705] lstrlenW (lpString=".jpg") returned 4 [0060.705] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0060.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.705] lstrlenW (lpString=".doc") returned 4 [0060.705] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0060.705] lstrlenW (lpString=".docx") returned 5 [0060.705] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0060.705] lstrlenW (lpString=".pdf") returned 4 [0060.705] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0060.705] lstrlenW (lpString=".xls") returned 4 [0060.706] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0060.706] lstrlenW (lpString=".xlsx") returned 5 [0060.706] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0060.706] lstrlenW (lpString=".ppt") returned 4 [0060.706] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0060.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.706] lstrlenW (lpString=".zip") returned 4 [0060.706] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0060.706] lstrlenW (lpString=".rar") returned 4 [0060.706] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0060.706] lstrlenW (lpString=".bz2") returned 4 [0060.706] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0060.706] lstrlenW (lpString=".7z") returned 3 [0060.706] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0060.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.706] lstrlenW (lpString=".dbf") returned 4 [0060.706] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0060.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.706] lstrlenW (lpString=".1cd") returned 4 [0060.706] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0060.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0060.707] lstrlenW (lpString=".jpg") returned 4 [0060.707] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0060.707] lstrcmpiW (lpString1=".FLT", lpString2=".NcOv") returned -1 [0060.707] lstrlenW (lpString="CGMIMP32.FLT") returned 12 [0060.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0060.711] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=323936) returned 1 [0060.711] CloseHandle (hObject=0x1c8) returned 1 [0060.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 0x20 [0060.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0060.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0060.712] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.712] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0060.712] GetLastError () returned 0x0 [0060.712] ReadFile (in: hFile=0x1c8, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x4f160, lpOverlapped=0x0) returned 1 [0060.742] WriteFile (in: hFile=0x208, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0x4f170, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0x4f170, lpOverlapped=0x0) returned 1 [0060.750] ReadFile (in: hFile=0x1c8, lpBuffer=0x3c90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0060.750] WriteFile (in: hFile=0x208, lpBuffer=0x3c90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c90020*, lpNumberOfBytesWritten=0x34cfc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.750] SetEndOfFile (hFile=0x208) returned 1 [0060.751] CloseHandle (hObject=0x208) returned 1 [0060.751] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.751] SetEndOfFile (hFile=0x1c8) returned 1 [0061.035] CloseHandle (hObject=0x1c8) returned 1 [0063.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0063.693] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 1 [0064.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.161] lstrlenW (lpString=".doc") returned 4 [0064.162] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0064.162] lstrlenW (lpString=".docx") returned 5 [0064.162] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0064.162] lstrlenW (lpString=".pdf") returned 4 [0064.162] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0064.162] lstrlenW (lpString=".xls") returned 4 [0064.162] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0064.162] lstrlenW (lpString=".xlsx") returned 5 [0064.162] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0064.162] lstrlenW (lpString=".ppt") returned 4 [0064.162] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0064.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.162] lstrlenW (lpString=".zip") returned 4 [0064.162] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0064.162] lstrlenW (lpString=".rar") returned 4 [0064.162] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0064.162] lstrlenW (lpString=".bz2") returned 4 [0064.162] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0064.162] lstrlenW (lpString=".7z") returned 3 [0064.162] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0064.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.162] lstrlenW (lpString=".dbf") returned 4 [0064.162] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0064.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.162] lstrlenW (lpString=".1cd") returned 4 [0064.162] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0064.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.163] lstrlenW (lpString=".jpg") returned 4 [0064.163] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0064.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.163] lstrlenW (lpString=".doc") returned 4 [0064.163] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0064.163] lstrlenW (lpString=".docx") returned 5 [0064.163] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0064.163] lstrlenW (lpString=".pdf") returned 4 [0064.163] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0064.163] lstrlenW (lpString=".xls") returned 4 [0064.163] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0064.163] lstrlenW (lpString=".xlsx") returned 5 [0064.163] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0064.163] lstrlenW (lpString=".ppt") returned 4 [0064.163] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0064.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.163] lstrlenW (lpString=".zip") returned 4 [0064.163] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0064.163] lstrlenW (lpString=".rar") returned 4 [0064.163] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0064.163] lstrlenW (lpString=".bz2") returned 4 [0064.163] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0064.163] lstrlenW (lpString=".7z") returned 3 [0064.163] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0064.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.164] lstrlenW (lpString=".dbf") returned 4 [0064.164] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0064.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.164] lstrlenW (lpString=".1cd") returned 4 [0064.164] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0064.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0064.164] lstrlenW (lpString=".jpg") returned 4 [0064.164] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0064.164] lstrcmpiW (lpString1=".FLT", lpString2=".NcOv") returned -1 [0064.164] lstrlenW (lpString="JPEGIM32.FLT") returned 12 [0064.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 18 os_tid = 0xb38 [0037.781] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x37d10a8 [0037.781] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x37e10b0 [0037.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a928 [0037.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6) returned 0x55ad38 [0037.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a940 [0037.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100000) returned 0x3da0020 [0037.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a958 [0037.782] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a958, Size=0x20) returned 0x5a35b0 [0037.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x55a958 [0037.782] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x55a958, Size=0x20) returned 0x5a3600 [0037.782] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0037.782] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0037.782] Wow64DisableWow64FsRedirection (in: OldValue=0x371ff58 | out: OldValue=0x371ff58*=0x0) returned 1 [0037.782] lstrlenW (lpString="kernel32.dll") returned 12 [0037.782] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a35b0 | out: hHeap=0x500000) returned 1 [0037.782] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0037.783] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5a3600 | out: hHeap=0x500000) returned 1 [0037.783] Sleep (dwMilliseconds=0x64) [0037.987] lstrcmpiW (lpString1=".ttf", lpString2=".NcOv") returned 1 [0037.987] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0037.987] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0038.014] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=47452) returned 1 [0038.014] CloseHandle (hObject=0x184) returned 1 [0038.014] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0038.014] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.014] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.014] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.014] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.014] lstrlenW (lpString=".doc") returned 4 [0038.014] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString=".docx") returned 5 [0038.015] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0038.015] lstrlenW (lpString=".pdf") returned 4 [0038.015] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString=".xls") returned 4 [0038.015] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0038.015] lstrlenW (lpString=".xlsx") returned 5 [0038.015] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0038.015] lstrlenW (lpString=".ppt") returned 4 [0038.015] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.015] lstrlenW (lpString=".zip") returned 4 [0038.015] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0038.015] lstrlenW (lpString=".rar") returned 4 [0038.015] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString=".bz2") returned 4 [0038.015] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString=".7z") returned 3 [0038.015] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0038.015] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.015] lstrlenW (lpString=".dbf") returned 4 [0038.015] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.015] lstrlenW (lpString=".1cd") returned 4 [0038.015] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.015] lstrlenW (lpString=".jpg") returned 4 [0038.015] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.015] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.015] lstrlenW (lpString=".doc") returned 4 [0038.015] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0038.015] lstrlenW (lpString=".docx") returned 5 [0038.015] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0038.015] lstrlenW (lpString=".pdf") returned 4 [0038.016] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0038.016] lstrlenW (lpString=".xls") returned 4 [0038.016] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0038.016] lstrlenW (lpString=".xlsx") returned 5 [0038.016] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0038.016] lstrlenW (lpString=".ppt") returned 4 [0038.016] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0038.016] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.016] lstrlenW (lpString=".zip") returned 4 [0038.016] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0038.016] lstrlenW (lpString=".rar") returned 4 [0038.016] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0038.016] lstrlenW (lpString=".bz2") returned 4 [0038.016] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0038.016] lstrlenW (lpString=".7z") returned 3 [0038.016] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0038.016] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.016] lstrlenW (lpString=".dbf") returned 4 [0038.016] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0038.016] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.016] lstrlenW (lpString=".1cd") returned 4 [0038.016] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0038.016] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0038.016] lstrlenW (lpString=".jpg") returned 4 [0038.016] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0038.016] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0038.016] lstrlenW (lpString="ExcelMUI.msi") returned 12 [0038.016] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0038.017] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=2506240) returned 1 [0038.017] CloseHandle (hObject=0x184) returned 1 [0038.017] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi")) returned 0x2020 [0038.017] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0038.017] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0038.017] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0038.017] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0038.017] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.017] ReadFile (in: hFile=0x184, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.184] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.184] ReadFile (in: hFile=0x184, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.204] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.205] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.205] ReadFile (in: hFile=0x184, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.241] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.241] WriteFile (in: hFile=0x184, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0038.367] SetEndOfFile (hFile=0x184) returned 1 [0038.367] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f450a0 [0038.567] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.567] WriteFile (in: hFile=0x184, lpBuffer=0x3f450a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f450a0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.568] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.568] WriteFile (in: hFile=0x184, lpBuffer=0x3f450a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f450a0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.574] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.574] WriteFile (in: hFile=0x184, lpBuffer=0x3f450a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f450a0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.577] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f450a0 | out: hHeap=0x500000) returned 1 [0038.577] CloseHandle (hObject=0x184) returned 1 [0039.043] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0039.043] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.043] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.043] lstrlenW (lpString=".doc") returned 4 [0039.043] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.043] lstrlenW (lpString=".docx") returned 5 [0039.043] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.043] lstrlenW (lpString=".pdf") returned 4 [0039.043] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.043] lstrlenW (lpString=".xls") returned 4 [0039.043] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.043] lstrlenW (lpString=".xlsx") returned 5 [0039.043] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.043] lstrlenW (lpString=".ppt") returned 4 [0039.043] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.043] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.044] lstrlenW (lpString=".zip") returned 4 [0039.044] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.044] lstrlenW (lpString=".rar") returned 4 [0039.044] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.044] lstrlenW (lpString=".bz2") returned 4 [0039.044] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.044] lstrlenW (lpString=".7z") returned 3 [0039.044] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.044] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.044] lstrlenW (lpString=".dbf") returned 4 [0039.044] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.044] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.044] lstrlenW (lpString=".1cd") returned 4 [0039.044] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.044] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.044] lstrlenW (lpString=".jpg") returned 4 [0039.044] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.044] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.044] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.044] lstrlenW (lpString=".doc") returned 4 [0039.044] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.044] lstrlenW (lpString=".docx") returned 5 [0039.044] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.044] lstrlenW (lpString=".pdf") returned 4 [0039.044] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.044] lstrlenW (lpString=".xls") returned 4 [0039.044] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.044] lstrlenW (lpString=".xlsx") returned 5 [0039.044] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.044] lstrlenW (lpString=".ppt") returned 4 [0039.044] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.044] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.044] lstrlenW (lpString=".zip") returned 4 [0039.044] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.044] lstrlenW (lpString=".rar") returned 4 [0039.044] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.045] lstrlenW (lpString=".bz2") returned 4 [0039.045] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.045] lstrlenW (lpString=".7z") returned 3 [0039.045] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.045] lstrlenW (lpString=".dbf") returned 4 [0039.045] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.045] lstrlenW (lpString=".1cd") returned 4 [0039.045] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0039.045] lstrlenW (lpString=".jpg") returned 4 [0039.045] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.045] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0039.045] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0039.045] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.045] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=2513920) returned 1 [0039.045] CloseHandle (hObject=0x184) returned 1 [0039.045] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi")) returned 0x2020 [0039.045] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0039.046] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0039.133] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.133] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.133] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.133] ReadFile (in: hFile=0x184, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.138] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.138] ReadFile (in: hFile=0x184, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.150] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.150] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.150] ReadFile (in: hFile=0x184, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.168] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.168] WriteFile (in: hFile=0x184, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc010c, lpOverlapped=0x0) returned 1 [0039.528] SetEndOfFile (hFile=0x184) returned 1 [0039.528] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f05098 [0039.616] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.616] WriteFile (in: hFile=0x184, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.617] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.617] WriteFile (in: hFile=0x184, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.623] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.623] WriteFile (in: hFile=0x184, lpBuffer=0x3f05098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f05098*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.626] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f05098 | out: hHeap=0x500000) returned 1 [0039.626] CloseHandle (hObject=0x184) returned 1 [0040.458] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0040.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.458] lstrlenW (lpString=".doc") returned 4 [0040.459] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.459] lstrlenW (lpString=".docx") returned 5 [0040.459] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0040.459] lstrlenW (lpString=".pdf") returned 4 [0040.459] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.459] lstrlenW (lpString=".xls") returned 4 [0040.459] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.459] lstrlenW (lpString=".xlsx") returned 5 [0040.459] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0040.459] lstrlenW (lpString=".ppt") returned 4 [0040.459] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.459] lstrlenW (lpString=".zip") returned 4 [0040.459] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.459] lstrlenW (lpString=".rar") returned 4 [0040.459] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.459] lstrlenW (lpString=".bz2") returned 4 [0040.459] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.459] lstrlenW (lpString=".7z") returned 3 [0040.459] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.459] lstrlenW (lpString=".dbf") returned 4 [0040.459] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.459] lstrlenW (lpString=".1cd") returned 4 [0040.459] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.459] lstrlenW (lpString=".jpg") returned 4 [0040.459] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.459] lstrlenW (lpString=".doc") returned 4 [0040.460] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.460] lstrlenW (lpString=".docx") returned 5 [0040.460] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0040.460] lstrlenW (lpString=".pdf") returned 4 [0040.460] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.460] lstrlenW (lpString=".xls") returned 4 [0040.460] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.460] lstrlenW (lpString=".xlsx") returned 5 [0040.460] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0040.460] lstrlenW (lpString=".ppt") returned 4 [0040.460] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.460] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.460] lstrlenW (lpString=".zip") returned 4 [0040.460] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.460] lstrlenW (lpString=".rar") returned 4 [0040.460] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.460] lstrlenW (lpString=".bz2") returned 4 [0040.460] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.460] lstrlenW (lpString=".7z") returned 3 [0040.460] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.460] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.460] lstrlenW (lpString=".dbf") returned 4 [0040.460] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.460] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.460] lstrlenW (lpString=".1cd") returned 4 [0040.460] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.460] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0040.460] lstrlenW (lpString=".jpg") returned 4 [0040.460] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.460] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0040.460] lstrlenW (lpString="OutlkLR.cab") returned 11 [0040.461] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.461] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=14819276) returned 1 [0040.461] CloseHandle (hObject=0x184) returned 1 [0040.461] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0040.461] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0040.461] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0040.462] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.462] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0040.462] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.462] ReadFile (in: hFile=0x184, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.925] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.925] ReadFile (in: hFile=0x184, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.021] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.021] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.021] ReadFile (in: hFile=0x184, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.058] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.058] WriteFile (in: hFile=0x184, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0041.073] SetEndOfFile (hFile=0x184) returned 1 [0041.073] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f560d0 [0041.279] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.279] WriteFile (in: hFile=0x184, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.280] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.280] WriteFile (in: hFile=0x184, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.281] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.281] WriteFile (in: hFile=0x184, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.282] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f560d0 | out: hHeap=0x500000) returned 1 [0041.282] CloseHandle (hObject=0x184) returned 1 [0044.124] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0044.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.124] lstrlenW (lpString=".doc") returned 4 [0044.124] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.124] lstrlenW (lpString=".docx") returned 5 [0044.124] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.124] lstrlenW (lpString=".pdf") returned 4 [0044.124] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.124] lstrlenW (lpString=".xls") returned 4 [0044.124] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.124] lstrlenW (lpString=".xlsx") returned 5 [0044.124] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.124] lstrlenW (lpString=".ppt") returned 4 [0044.125] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.125] lstrlenW (lpString=".zip") returned 4 [0044.125] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.125] lstrlenW (lpString=".rar") returned 4 [0044.125] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.125] lstrlenW (lpString=".bz2") returned 4 [0044.125] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.125] lstrlenW (lpString=".7z") returned 3 [0044.125] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.125] lstrlenW (lpString=".dbf") returned 4 [0044.125] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.125] lstrlenW (lpString=".1cd") returned 4 [0044.125] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.125] lstrlenW (lpString=".jpg") returned 4 [0044.125] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.125] lstrlenW (lpString=".doc") returned 4 [0044.125] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.125] lstrlenW (lpString=".docx") returned 5 [0044.125] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.125] lstrlenW (lpString=".pdf") returned 4 [0044.125] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.125] lstrlenW (lpString=".xls") returned 4 [0044.125] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.125] lstrlenW (lpString=".xlsx") returned 5 [0044.125] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.125] lstrlenW (lpString=".ppt") returned 4 [0044.125] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.126] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.126] lstrlenW (lpString=".zip") returned 4 [0044.126] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.126] lstrlenW (lpString=".rar") returned 4 [0044.126] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.126] lstrlenW (lpString=".bz2") returned 4 [0044.126] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.126] lstrlenW (lpString=".7z") returned 3 [0044.126] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.126] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.126] lstrlenW (lpString=".dbf") returned 4 [0044.126] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.126] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.126] lstrlenW (lpString=".1cd") returned 4 [0044.126] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.126] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0044.126] lstrlenW (lpString=".jpg") returned 4 [0044.126] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.129] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0044.129] lstrlenW (lpString="Proof.cab") returned 9 [0044.129] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0044.129] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=11482605) returned 1 [0044.129] CloseHandle (hObject=0x194) returned 1 [0044.129] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0x2020 [0044.130] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0044.130] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0044.363] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0044.363] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.363] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.363] ReadFile (in: hFile=0x194, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.375] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.375] ReadFile (in: hFile=0x194, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.381] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.381] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.381] ReadFile (in: hFile=0x194, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.400] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.400] WriteFile (in: hFile=0x194, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0044.419] SetEndOfFile (hFile=0x194) returned 1 [0044.419] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f560d0 [0044.494] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.494] WriteFile (in: hFile=0x194, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.531] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.531] WriteFile (in: hFile=0x194, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.533] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.534] WriteFile (in: hFile=0x194, lpBuffer=0x3f560d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f560d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.536] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f560d0 | out: hHeap=0x500000) returned 1 [0044.536] CloseHandle (hObject=0x194) returned 1 [0047.780] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0047.780] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.780] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.780] lstrlenW (lpString=".doc") returned 4 [0047.780] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.780] lstrlenW (lpString=".docx") returned 5 [0047.780] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0047.780] lstrlenW (lpString=".pdf") returned 4 [0047.780] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.780] lstrlenW (lpString=".xls") returned 4 [0047.780] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.780] lstrlenW (lpString=".xlsx") returned 5 [0047.780] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0047.781] lstrlenW (lpString=".ppt") returned 4 [0047.781] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.781] lstrlenW (lpString=".zip") returned 4 [0047.781] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString=".rar") returned 4 [0047.781] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString=".bz2") returned 4 [0047.781] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.781] lstrlenW (lpString=".7z") returned 3 [0047.781] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.781] lstrlenW (lpString=".dbf") returned 4 [0047.781] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.781] lstrlenW (lpString=".1cd") returned 4 [0047.781] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.781] lstrlenW (lpString=".jpg") returned 4 [0047.781] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.781] lstrlenW (lpString=".doc") returned 4 [0047.781] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString=".docx") returned 5 [0047.781] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0047.781] lstrlenW (lpString=".pdf") returned 4 [0047.781] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString=".xls") returned 4 [0047.781] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString=".xlsx") returned 5 [0047.781] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0047.781] lstrlenW (lpString=".ppt") returned 4 [0047.781] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.781] lstrlenW (lpString=".zip") returned 4 [0047.782] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.782] lstrlenW (lpString=".rar") returned 4 [0047.782] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.782] lstrlenW (lpString=".bz2") returned 4 [0047.782] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.782] lstrlenW (lpString=".7z") returned 3 [0047.782] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.782] lstrlenW (lpString=".dbf") returned 4 [0047.782] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.782] lstrlenW (lpString=".1cd") returned 4 [0047.782] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0047.782] lstrlenW (lpString=".jpg") returned 4 [0047.782] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.782] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0047.782] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0047.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0047.782] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=3124224) returned 1 [0047.783] CloseHandle (hObject=0x19c) returned 1 [0047.783] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi")) returned 0x2020 [0047.783] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0047.783] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0047.783] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0047.783] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.783] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.783] ReadFile (in: hFile=0x19c, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.787] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.787] ReadFile (in: hFile=0x19c, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.801] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.801] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.801] ReadFile (in: hFile=0x19c, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.818] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.818] WriteFile (in: hFile=0x19c, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc010a, lpOverlapped=0x0) returned 1 [0048.732] SetEndOfFile (hFile=0x19c) returned 1 [0048.732] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fa60d8 [0048.736] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.736] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.737] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.737] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.742] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.743] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.745] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60d8 | out: hHeap=0x500000) returned 1 [0048.745] CloseHandle (hObject=0x19c) returned 1 [0048.745] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0048.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.745] lstrlenW (lpString=".doc") returned 4 [0048.745] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.745] lstrlenW (lpString=".docx") returned 5 [0048.745] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0048.745] lstrlenW (lpString=".pdf") returned 4 [0048.745] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.745] lstrlenW (lpString=".xls") returned 4 [0048.745] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.745] lstrlenW (lpString=".xlsx") returned 5 [0048.746] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0048.746] lstrlenW (lpString=".ppt") returned 4 [0048.746] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.746] lstrlenW (lpString=".zip") returned 4 [0048.746] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.746] lstrlenW (lpString=".rar") returned 4 [0048.746] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.746] lstrlenW (lpString=".bz2") returned 4 [0048.746] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.746] lstrlenW (lpString=".7z") returned 3 [0048.746] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.746] lstrlenW (lpString=".dbf") returned 4 [0048.746] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.746] lstrlenW (lpString=".1cd") returned 4 [0048.746] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.746] lstrlenW (lpString=".jpg") returned 4 [0048.746] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.746] lstrlenW (lpString=".doc") returned 4 [0048.746] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.746] lstrlenW (lpString=".docx") returned 5 [0048.746] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0048.746] lstrlenW (lpString=".pdf") returned 4 [0048.746] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.746] lstrlenW (lpString=".xls") returned 4 [0048.746] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.746] lstrlenW (lpString=".xlsx") returned 5 [0048.746] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0048.746] lstrlenW (lpString=".ppt") returned 4 [0048.746] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.747] lstrlenW (lpString=".zip") returned 4 [0048.747] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.747] lstrlenW (lpString=".rar") returned 4 [0048.747] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.747] lstrlenW (lpString=".bz2") returned 4 [0048.747] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.747] lstrlenW (lpString=".7z") returned 3 [0048.747] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.747] lstrlenW (lpString=".dbf") returned 4 [0048.747] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.747] lstrlenW (lpString=".1cd") returned 4 [0048.747] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0048.747] lstrlenW (lpString=".jpg") returned 4 [0048.747] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.748] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0048.748] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0048.748] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.748] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=2503680) returned 1 [0048.748] CloseHandle (hObject=0x19c) returned 1 [0048.748] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi")) returned 0x2020 [0048.748] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0048.748] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0048.749] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.749] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.749] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.749] ReadFile (in: hFile=0x19c, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.071] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.071] ReadFile (in: hFile=0x19c, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.157] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.157] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.157] ReadFile (in: hFile=0x19c, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.176] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.176] WriteFile (in: hFile=0x19c, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0049.408] SetEndOfFile (hFile=0x19c) returned 1 [0049.408] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fa60d8 [0049.467] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.467] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.469] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.469] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.478] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.478] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60d8 | out: hHeap=0x500000) returned 1 [0049.482] CloseHandle (hObject=0x19c) returned 1 [0049.482] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0049.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.483] lstrlenW (lpString=".doc") returned 4 [0049.483] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0049.483] lstrlenW (lpString=".docx") returned 5 [0049.483] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0049.483] lstrlenW (lpString=".pdf") returned 4 [0049.483] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0049.483] lstrlenW (lpString=".xls") returned 4 [0049.483] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0049.483] lstrlenW (lpString=".xlsx") returned 5 [0049.483] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0049.483] lstrlenW (lpString=".ppt") returned 4 [0049.483] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0049.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.483] lstrlenW (lpString=".zip") returned 4 [0049.483] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0049.483] lstrlenW (lpString=".rar") returned 4 [0049.483] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0049.483] lstrlenW (lpString=".bz2") returned 4 [0049.484] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0049.484] lstrlenW (lpString=".7z") returned 3 [0049.484] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0049.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.484] lstrlenW (lpString=".dbf") returned 4 [0049.484] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0049.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.484] lstrlenW (lpString=".1cd") returned 4 [0049.484] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0049.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.484] lstrlenW (lpString=".jpg") returned 4 [0049.484] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0049.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.484] lstrlenW (lpString=".doc") returned 4 [0049.484] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0049.484] lstrlenW (lpString=".docx") returned 5 [0049.484] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0049.484] lstrlenW (lpString=".pdf") returned 4 [0049.485] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0049.485] lstrlenW (lpString=".xls") returned 4 [0049.485] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0049.485] lstrlenW (lpString=".xlsx") returned 5 [0049.485] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0049.485] lstrlenW (lpString=".ppt") returned 4 [0049.485] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0049.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.485] lstrlenW (lpString=".zip") returned 4 [0049.485] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0049.485] lstrlenW (lpString=".rar") returned 4 [0049.485] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0049.485] lstrlenW (lpString=".bz2") returned 4 [0049.485] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0049.485] lstrlenW (lpString=".7z") returned 3 [0049.485] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0049.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.485] lstrlenW (lpString=".dbf") returned 4 [0049.485] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0049.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.485] lstrlenW (lpString=".1cd") returned 4 [0049.485] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0049.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0049.485] lstrlenW (lpString=".jpg") returned 4 [0049.485] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0049.486] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0049.486] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0049.486] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0049.486] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=2507776) returned 1 [0049.486] CloseHandle (hObject=0x19c) returned 1 [0049.486] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi")) returned 0x2020 [0049.487] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0049.487] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0049.487] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0049.488] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.488] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.488] ReadFile (in: hFile=0x19c, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.515] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.515] ReadFile (in: hFile=0x19c, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.551] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.551] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.551] ReadFile (in: hFile=0x19c, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.641] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.641] WriteFile (in: hFile=0x19c, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0050.815] SetEndOfFile (hFile=0x19c) returned 1 [0050.819] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f960d8 [0050.846] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.847] WriteFile (in: hFile=0x19c, lpBuffer=0x3f960d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.863] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.863] WriteFile (in: hFile=0x19c, lpBuffer=0x3f960d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.871] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.871] WriteFile (in: hFile=0x19c, lpBuffer=0x3f960d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f960d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.876] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f960d8 | out: hHeap=0x500000) returned 1 [0050.876] CloseHandle (hObject=0x19c) returned 1 [0050.876] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0050.877] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.877] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.877] lstrlenW (lpString=".doc") returned 4 [0050.877] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.877] lstrlenW (lpString=".docx") returned 5 [0050.877] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0050.877] lstrlenW (lpString=".pdf") returned 4 [0050.877] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.877] lstrlenW (lpString=".xls") returned 4 [0050.877] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.877] lstrlenW (lpString=".xlsx") returned 5 [0050.877] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0050.877] lstrlenW (lpString=".ppt") returned 4 [0050.877] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.877] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.877] lstrlenW (lpString=".zip") returned 4 [0050.877] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.877] lstrlenW (lpString=".rar") returned 4 [0050.877] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.877] lstrlenW (lpString=".bz2") returned 4 [0050.877] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.877] lstrlenW (lpString=".7z") returned 3 [0050.877] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.878] lstrlenW (lpString=".dbf") returned 4 [0050.878] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.878] lstrlenW (lpString=".1cd") returned 4 [0050.878] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.878] lstrlenW (lpString=".jpg") returned 4 [0050.878] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.878] lstrlenW (lpString=".doc") returned 4 [0050.878] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.878] lstrlenW (lpString=".docx") returned 5 [0050.878] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0050.878] lstrlenW (lpString=".pdf") returned 4 [0050.878] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.879] lstrlenW (lpString=".xls") returned 4 [0050.879] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.879] lstrlenW (lpString=".xlsx") returned 5 [0050.879] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0050.879] lstrlenW (lpString=".ppt") returned 4 [0050.879] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.879] lstrlenW (lpString=".zip") returned 4 [0050.879] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.879] lstrlenW (lpString=".rar") returned 4 [0050.879] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.879] lstrlenW (lpString=".bz2") returned 4 [0050.879] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.879] lstrlenW (lpString=".7z") returned 3 [0050.879] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.879] lstrlenW (lpString=".dbf") returned 4 [0050.879] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.879] lstrlenW (lpString=".1cd") returned 4 [0050.879] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0050.879] lstrlenW (lpString=".jpg") returned 4 [0050.880] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.880] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0050.880] lstrlenW (lpString="OfficeLR.cab") returned 12 [0050.880] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0051.077] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=14127746) returned 1 [0051.077] CloseHandle (hObject=0x214) returned 1 [0051.077] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab")) returned 0x2020 [0051.077] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.077] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0051.077] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0051.078] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.078] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.078] ReadFile (in: hFile=0x214, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.130] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.130] ReadFile (in: hFile=0x214, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.140] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.140] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.140] ReadFile (in: hFile=0x214, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.188] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.188] WriteFile (in: hFile=0x214, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0051.374] SetEndOfFile (hFile=0x214) returned 1 [0051.375] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x4016100 [0051.380] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.380] WriteFile (in: hFile=0x214, lpBuffer=0x4016100*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x4016100*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.381] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.381] WriteFile (in: hFile=0x214, lpBuffer=0x4016100*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x4016100*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.382] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.382] WriteFile (in: hFile=0x214, lpBuffer=0x4016100*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x4016100*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.385] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x4016100 | out: hHeap=0x500000) returned 1 [0051.385] CloseHandle (hObject=0x214) returned 1 [0051.385] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0051.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.386] lstrlenW (lpString=".doc") returned 4 [0051.386] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0051.386] lstrlenW (lpString=".docx") returned 5 [0051.386] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0051.386] lstrlenW (lpString=".pdf") returned 4 [0051.386] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0051.386] lstrlenW (lpString=".xls") returned 4 [0051.386] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0051.386] lstrlenW (lpString=".xlsx") returned 5 [0051.386] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0051.386] lstrlenW (lpString=".ppt") returned 4 [0051.386] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0051.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.386] lstrlenW (lpString=".zip") returned 4 [0051.386] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0051.386] lstrlenW (lpString=".rar") returned 4 [0051.386] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0051.386] lstrlenW (lpString=".bz2") returned 4 [0051.386] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0051.386] lstrlenW (lpString=".7z") returned 3 [0051.386] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0051.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.386] lstrlenW (lpString=".dbf") returned 4 [0051.386] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0051.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.387] lstrlenW (lpString=".1cd") returned 4 [0051.387] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0051.387] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.387] lstrlenW (lpString=".jpg") returned 4 [0051.387] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0051.387] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.387] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.387] lstrlenW (lpString=".doc") returned 4 [0051.387] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0051.387] lstrlenW (lpString=".docx") returned 5 [0051.387] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0051.387] lstrlenW (lpString=".pdf") returned 4 [0051.387] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0051.387] lstrlenW (lpString=".xls") returned 4 [0051.387] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0051.387] lstrlenW (lpString=".xlsx") returned 5 [0051.387] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0051.387] lstrlenW (lpString=".ppt") returned 4 [0051.387] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0051.387] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.387] lstrlenW (lpString=".zip") returned 4 [0051.387] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0051.387] lstrlenW (lpString=".rar") returned 4 [0051.387] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0051.387] lstrlenW (lpString=".bz2") returned 4 [0051.387] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0051.387] lstrlenW (lpString=".7z") returned 3 [0051.388] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0051.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.388] lstrlenW (lpString=".dbf") returned 4 [0051.388] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0051.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.388] lstrlenW (lpString=".1cd") returned 4 [0051.388] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0051.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0051.388] lstrlenW (lpString=".jpg") returned 4 [0051.388] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0051.388] lstrcmpiW (lpString1=".MST", lpString2=".NcOv") returned -1 [0051.388] lstrlenW (lpString="ShellUI.MST") returned 11 [0051.388] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0051.389] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=3584) returned 1 [0051.389] CloseHandle (hObject=0x214) returned 1 [0051.389] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 0x2020 [0051.389] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.389] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0051.389] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.389] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.389] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0051.390] GetLastError () returned 0x0 [0051.390] ReadFile (in: hFile=0x214, lpBuffer=0x3da0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fed4, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesRead=0x371fed4*=0xe00, lpOverlapped=0x0) returned 1 [0051.396] WriteFile (in: hFile=0x224, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x371fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fc9c*=0xe10, lpOverlapped=0x0) returned 1 [0051.398] ReadFile (in: hFile=0x214, lpBuffer=0x3da0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fed4, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesRead=0x371fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.398] WriteFile (in: hFile=0x224, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x371fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.398] SetEndOfFile (hFile=0x224) returned 1 [0051.398] CloseHandle (hObject=0x224) returned 1 [0051.398] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.398] SetEndOfFile (hFile=0x214) returned 1 [0051.400] CloseHandle (hObject=0x214) returned 1 [0051.400] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0051.400] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 1 [0051.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.400] lstrlenW (lpString=".doc") returned 4 [0051.400] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0051.400] lstrlenW (lpString=".docx") returned 5 [0051.400] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0051.400] lstrlenW (lpString=".pdf") returned 4 [0051.400] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0051.400] lstrlenW (lpString=".xls") returned 4 [0051.400] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0051.400] lstrlenW (lpString=".xlsx") returned 5 [0051.400] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0051.400] lstrlenW (lpString=".ppt") returned 4 [0051.400] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0051.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.401] lstrlenW (lpString=".zip") returned 4 [0051.401] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0051.401] lstrlenW (lpString=".rar") returned 4 [0051.401] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0051.401] lstrlenW (lpString=".bz2") returned 4 [0051.401] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0051.401] lstrlenW (lpString=".7z") returned 3 [0051.401] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0051.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.401] lstrlenW (lpString=".dbf") returned 4 [0051.401] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0051.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.401] lstrlenW (lpString=".1cd") returned 4 [0051.401] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0051.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.401] lstrlenW (lpString=".jpg") returned 4 [0051.401] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0051.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.401] lstrlenW (lpString=".doc") returned 4 [0051.401] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0051.401] lstrlenW (lpString=".docx") returned 5 [0051.401] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0051.401] lstrlenW (lpString=".pdf") returned 4 [0051.401] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0051.401] lstrlenW (lpString=".xls") returned 4 [0051.401] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0051.401] lstrlenW (lpString=".xlsx") returned 5 [0051.401] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0051.401] lstrlenW (lpString=".ppt") returned 4 [0051.401] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0051.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.401] lstrlenW (lpString=".zip") returned 4 [0051.401] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0051.401] lstrlenW (lpString=".rar") returned 4 [0051.401] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0051.402] lstrlenW (lpString=".bz2") returned 4 [0051.402] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0051.402] lstrlenW (lpString=".7z") returned 3 [0051.402] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0051.402] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.402] lstrlenW (lpString=".dbf") returned 4 [0051.402] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0051.402] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.402] lstrlenW (lpString=".1cd") returned 4 [0051.402] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0051.402] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0051.402] lstrlenW (lpString=".jpg") returned 4 [0051.402] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0051.402] lstrcmpiW (lpString1=".msi", lpString2=".NcOv") returned -1 [0051.402] lstrlenW (lpString="AccessMUI.msi") returned 13 [0051.402] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0051.693] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=2517504) returned 1 [0051.693] CloseHandle (hObject=0x1e8) returned 1 [0051.693] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0x2020 [0051.693] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0051.693] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0051.694] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0051.694] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.694] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.694] ReadFile (in: hFile=0x1e8, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.715] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.715] ReadFile (in: hFile=0x1e8, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.748] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.748] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.748] ReadFile (in: hFile=0x1e8, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.779] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.779] WriteFile (in: hFile=0x1e8, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0052.021] SetEndOfFile (hFile=0x1e8) returned 1 [0052.021] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fc60d8 [0052.131] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.131] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.132] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.132] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.138] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.138] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.141] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fc60d8 | out: hHeap=0x500000) returned 1 [0052.142] CloseHandle (hObject=0x1e8) returned 1 [0052.142] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.142] lstrlenW (lpString=".doc") returned 4 [0052.142] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.142] lstrlenW (lpString=".docx") returned 5 [0052.142] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0052.142] lstrlenW (lpString=".pdf") returned 4 [0052.143] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.143] lstrlenW (lpString=".xls") returned 4 [0052.143] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.143] lstrlenW (lpString=".xlsx") returned 5 [0052.143] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0052.143] lstrlenW (lpString=".ppt") returned 4 [0052.143] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.143] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.143] lstrlenW (lpString=".zip") returned 4 [0052.143] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.143] lstrlenW (lpString=".rar") returned 4 [0052.143] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.143] lstrlenW (lpString=".bz2") returned 4 [0052.143] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.143] lstrlenW (lpString=".7z") returned 3 [0052.143] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.143] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.143] lstrlenW (lpString=".dbf") returned 4 [0052.143] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.143] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.143] lstrlenW (lpString=".1cd") returned 4 [0052.143] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.143] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.143] lstrlenW (lpString=".jpg") returned 4 [0052.143] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.143] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.143] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.143] lstrlenW (lpString=".doc") returned 4 [0052.143] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.143] lstrlenW (lpString=".docx") returned 5 [0052.143] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0052.144] lstrlenW (lpString=".pdf") returned 4 [0052.144] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.144] lstrlenW (lpString=".xls") returned 4 [0052.144] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.144] lstrlenW (lpString=".xlsx") returned 5 [0052.144] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0052.144] lstrlenW (lpString=".ppt") returned 4 [0052.144] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.144] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.144] lstrlenW (lpString=".zip") returned 4 [0052.144] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.144] lstrlenW (lpString=".rar") returned 4 [0052.144] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.144] lstrlenW (lpString=".bz2") returned 4 [0052.144] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.144] lstrlenW (lpString=".7z") returned 3 [0052.144] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.144] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.144] lstrlenW (lpString=".dbf") returned 4 [0052.144] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.144] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.144] lstrlenW (lpString=".1cd") returned 4 [0052.144] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.144] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0052.144] lstrlenW (lpString=".jpg") returned 4 [0052.144] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.144] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0052.144] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0052.145] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0052.145] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=36233052) returned 1 [0052.145] CloseHandle (hObject=0x1e8) returned 1 [0052.145] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0052.145] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.145] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0052.146] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0052.146] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.146] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.146] ReadFile (in: hFile=0x1e8, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.178] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.178] ReadFile (in: hFile=0x1e8, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.237] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.237] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.237] ReadFile (in: hFile=0x1e8, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.429] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.429] WriteFile (in: hFile=0x1e8, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0052.453] SetEndOfFile (hFile=0x1e8) returned 1 [0052.453] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fa60e0 [0052.477] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.477] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.478] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.478] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.480] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.480] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.483] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60e0 | out: hHeap=0x500000) returned 1 [0052.483] CloseHandle (hObject=0x1e8) returned 1 [0052.483] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.484] lstrlenW (lpString=".doc") returned 4 [0052.484] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.484] lstrlenW (lpString=".docx") returned 5 [0052.484] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.484] lstrlenW (lpString=".pdf") returned 4 [0052.484] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.484] lstrlenW (lpString=".xls") returned 4 [0052.484] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.484] lstrlenW (lpString=".xlsx") returned 5 [0052.484] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.484] lstrlenW (lpString=".ppt") returned 4 [0052.484] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.484] lstrlenW (lpString=".zip") returned 4 [0052.484] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.484] lstrlenW (lpString=".rar") returned 4 [0052.484] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.484] lstrlenW (lpString=".bz2") returned 4 [0052.484] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.484] lstrlenW (lpString=".7z") returned 3 [0052.484] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.484] lstrlenW (lpString=".dbf") returned 4 [0052.484] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.484] lstrlenW (lpString=".1cd") returned 4 [0052.484] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.484] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.484] lstrlenW (lpString=".jpg") returned 4 [0052.484] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.485] lstrlenW (lpString=".doc") returned 4 [0052.485] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.485] lstrlenW (lpString=".docx") returned 5 [0052.485] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.485] lstrlenW (lpString=".pdf") returned 4 [0052.485] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.485] lstrlenW (lpString=".xls") returned 4 [0052.485] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.485] lstrlenW (lpString=".xlsx") returned 5 [0052.485] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.485] lstrlenW (lpString=".ppt") returned 4 [0052.485] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.485] lstrlenW (lpString=".zip") returned 4 [0052.485] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.485] lstrlenW (lpString=".rar") returned 4 [0052.485] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.485] lstrlenW (lpString=".bz2") returned 4 [0052.485] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.485] lstrlenW (lpString=".7z") returned 3 [0052.485] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.485] lstrlenW (lpString=".dbf") returned 4 [0052.485] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.485] lstrlenW (lpString=".1cd") returned 4 [0052.485] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.485] lstrlenW (lpString=".jpg") returned 4 [0052.485] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.486] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0052.486] lstrlenW (lpString="ProPrWW.cab") returned 11 [0052.486] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0052.506] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=177720283) returned 1 [0052.506] CloseHandle (hObject=0x1e8) returned 1 [0052.506] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab")) returned 0x2020 [0052.506] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.506] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0052.511] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0052.517] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.517] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.517] ReadFile (in: hFile=0x1e8, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.531] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.531] ReadFile (in: hFile=0x1e8, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.538] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.538] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.538] ReadFile (in: hFile=0x1e8, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.634] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.634] WriteFile (in: hFile=0x1e8, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0052.861] SetEndOfFile (hFile=0x1e8) returned 1 [0052.861] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fc60d8 [0052.866] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.866] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.867] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.867] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.868] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.868] WriteFile (in: hFile=0x1e8, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.872] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fc60d8 | out: hHeap=0x500000) returned 1 [0052.872] CloseHandle (hObject=0x1e8) returned 1 [0052.872] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.872] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.872] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.872] lstrlenW (lpString=".doc") returned 4 [0052.872] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.872] lstrlenW (lpString=".docx") returned 5 [0052.872] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.872] lstrlenW (lpString=".pdf") returned 4 [0052.873] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.873] lstrlenW (lpString=".xls") returned 4 [0052.873] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.873] lstrlenW (lpString=".xlsx") returned 5 [0052.873] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.873] lstrlenW (lpString=".ppt") returned 4 [0052.873] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.873] lstrlenW (lpString=".zip") returned 4 [0052.873] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.873] lstrlenW (lpString=".rar") returned 4 [0052.873] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.873] lstrlenW (lpString=".bz2") returned 4 [0052.873] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.873] lstrlenW (lpString=".7z") returned 3 [0052.873] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.873] lstrlenW (lpString=".dbf") returned 4 [0052.873] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.873] lstrlenW (lpString=".1cd") returned 4 [0052.873] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.873] lstrlenW (lpString=".jpg") returned 4 [0052.873] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.874] lstrlenW (lpString=".doc") returned 4 [0052.874] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.874] lstrlenW (lpString=".docx") returned 5 [0052.874] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.874] lstrlenW (lpString=".pdf") returned 4 [0052.874] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.874] lstrlenW (lpString=".xls") returned 4 [0052.874] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.874] lstrlenW (lpString=".xlsx") returned 5 [0052.874] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.874] lstrlenW (lpString=".ppt") returned 4 [0052.874] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.874] lstrlenW (lpString=".zip") returned 4 [0052.874] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.874] lstrlenW (lpString=".rar") returned 4 [0052.874] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.874] lstrlenW (lpString=".bz2") returned 4 [0052.874] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.874] lstrlenW (lpString=".7z") returned 3 [0052.874] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.874] lstrlenW (lpString=".dbf") returned 4 [0052.874] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.874] lstrlenW (lpString=".1cd") returned 4 [0052.874] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0052.874] lstrlenW (lpString=".jpg") returned 4 [0052.874] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.875] lstrcmpiW (lpString1=".exe", lpString2=".NcOv") returned -1 [0052.875] lstrlenW (lpString="ose.exe") returned 7 [0052.875] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.959] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=174440) returned 1 [0052.959] CloseHandle (hObject=0x1f8) returned 1 [0052.959] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0052.959] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.959] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.959] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.959] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.959] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.960] GetLastError () returned 0x0 [0052.960] ReadFile (in: hFile=0x1f8, lpBuffer=0x3da0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fed4, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesRead=0x371fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0052.968] WriteFile (in: hFile=0x194, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x371fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0052.972] ReadFile (in: hFile=0x1f8, lpBuffer=0x3da0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fed4, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesRead=0x371fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.972] WriteFile (in: hFile=0x194, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x371fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0052.972] SetEndOfFile (hFile=0x194) returned 1 [0052.972] CloseHandle (hObject=0x194) returned 1 [0052.972] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.972] SetEndOfFile (hFile=0x1f8) returned 1 [0052.974] CloseHandle (hObject=0x1f8) returned 1 [0052.974] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0052.974] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0052.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.975] lstrlenW (lpString=".doc") returned 4 [0052.975] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.975] lstrlenW (lpString=".docx") returned 5 [0052.975] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.975] lstrlenW (lpString=".pdf") returned 4 [0052.975] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.975] lstrlenW (lpString=".xls") returned 4 [0052.975] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.975] lstrlenW (lpString=".xlsx") returned 5 [0052.975] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.975] lstrlenW (lpString=".ppt") returned 4 [0052.975] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.975] lstrlenW (lpString=".zip") returned 4 [0052.975] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.975] lstrlenW (lpString=".rar") returned 4 [0052.975] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.975] lstrlenW (lpString=".bz2") returned 4 [0052.975] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.975] lstrlenW (lpString=".7z") returned 3 [0052.975] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.975] lstrlenW (lpString=".dbf") returned 4 [0052.975] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.975] lstrlenW (lpString=".1cd") returned 4 [0052.975] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.975] lstrlenW (lpString=".jpg") returned 4 [0052.975] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.976] lstrlenW (lpString=".doc") returned 4 [0052.976] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.976] lstrlenW (lpString=".docx") returned 5 [0052.976] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.976] lstrlenW (lpString=".pdf") returned 4 [0052.976] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.976] lstrlenW (lpString=".xls") returned 4 [0052.976] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.976] lstrlenW (lpString=".xlsx") returned 5 [0052.976] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.976] lstrlenW (lpString=".ppt") returned 4 [0052.976] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.976] lstrlenW (lpString=".zip") returned 4 [0052.976] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.976] lstrlenW (lpString=".rar") returned 4 [0052.976] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.976] lstrlenW (lpString=".bz2") returned 4 [0052.976] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.976] lstrlenW (lpString=".7z") returned 3 [0052.976] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.976] lstrlenW (lpString=".dbf") returned 4 [0052.976] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.976] lstrlenW (lpString=".1cd") returned 4 [0052.976] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.976] lstrlenW (lpString=".jpg") returned 4 [0052.976] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.976] lstrcmpiW (lpString1=".dll", lpString2=".NcOv") returned -1 [0052.976] lstrlenW (lpString="osetup.dll") returned 10 [0052.977] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.977] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=7378792) returned 1 [0052.977] CloseHandle (hObject=0x1f8) returned 1 [0052.977] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0052.977] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0052.977] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0052.978] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.978] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.978] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.978] ReadFile (in: hFile=0x1f8, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.983] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.983] ReadFile (in: hFile=0x1f8, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.991] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.991] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.991] ReadFile (in: hFile=0x1f8, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.393] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.394] WriteFile (in: hFile=0x1f8, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0053.409] SetEndOfFile (hFile=0x1f8) returned 1 [0053.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0053.413] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.413] WriteFile (in: hFile=0x1f8, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.415] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.415] WriteFile (in: hFile=0x1f8, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.418] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.418] WriteFile (in: hFile=0x1f8, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.420] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0053.702] CloseHandle (hObject=0x1f8) returned 1 [0053.703] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0053.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.703] lstrlenW (lpString=".doc") returned 4 [0053.703] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0053.703] lstrlenW (lpString=".docx") returned 5 [0053.703] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0053.703] lstrlenW (lpString=".pdf") returned 4 [0053.703] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0053.703] lstrlenW (lpString=".xls") returned 4 [0053.703] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0053.704] lstrlenW (lpString=".xlsx") returned 5 [0053.704] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0053.704] lstrlenW (lpString=".ppt") returned 4 [0053.704] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0053.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.704] lstrlenW (lpString=".zip") returned 4 [0053.704] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0053.704] lstrlenW (lpString=".rar") returned 4 [0053.704] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0053.704] lstrlenW (lpString=".bz2") returned 4 [0053.704] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0053.704] lstrlenW (lpString=".7z") returned 3 [0053.704] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0053.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.704] lstrlenW (lpString=".dbf") returned 4 [0053.704] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0053.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.704] lstrlenW (lpString=".1cd") returned 4 [0053.704] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0053.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.704] lstrlenW (lpString=".jpg") returned 4 [0053.704] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0053.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.704] lstrlenW (lpString=".doc") returned 4 [0053.704] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0053.704] lstrlenW (lpString=".docx") returned 5 [0053.705] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0053.705] lstrlenW (lpString=".pdf") returned 4 [0053.705] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0053.705] lstrlenW (lpString=".xls") returned 4 [0053.705] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0053.705] lstrlenW (lpString=".xlsx") returned 5 [0053.705] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0053.705] lstrlenW (lpString=".ppt") returned 4 [0053.705] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0053.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.705] lstrlenW (lpString=".zip") returned 4 [0053.705] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0053.705] lstrlenW (lpString=".rar") returned 4 [0053.705] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0053.705] lstrlenW (lpString=".bz2") returned 4 [0053.705] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0053.705] lstrlenW (lpString=".7z") returned 3 [0053.705] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0053.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.705] lstrlenW (lpString=".dbf") returned 4 [0053.705] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0053.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.705] lstrlenW (lpString=".1cd") returned 4 [0053.705] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0053.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0053.705] lstrlenW (lpString=".jpg") returned 4 [0053.705] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0053.706] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0053.706] lstrlenW (lpString="PrjPrrWW.cab") returned 12 [0053.706] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0053.706] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=162970271) returned 1 [0053.706] CloseHandle (hObject=0x1f8) returned 1 [0053.706] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab")) returned 0x2020 [0053.707] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0053.707] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0053.708] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0053.708] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0053.708] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.708] ReadFile (in: hFile=0x1f8, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.733] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.733] ReadFile (in: hFile=0x1f8, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.798] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0054.799] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.799] ReadFile (in: hFile=0x1f8, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.822] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.822] WriteFile (in: hFile=0x1f8, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0055.027] SetEndOfFile (hFile=0x1f8) returned 1 [0055.027] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0055.027] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.027] WriteFile (in: hFile=0x1f8, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.074] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.074] WriteFile (in: hFile=0x1f8, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.095] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.095] WriteFile (in: hFile=0x1f8, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0055.097] CloseHandle (hObject=0x1f8) returned 1 [0055.098] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0055.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.098] lstrlenW (lpString=".doc") returned 4 [0055.098] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0055.098] lstrlenW (lpString=".docx") returned 5 [0055.098] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0055.098] lstrlenW (lpString=".pdf") returned 4 [0055.098] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0055.098] lstrlenW (lpString=".xls") returned 4 [0055.098] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0055.098] lstrlenW (lpString=".xlsx") returned 5 [0055.099] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0055.099] lstrlenW (lpString=".ppt") returned 4 [0055.099] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0055.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.099] lstrlenW (lpString=".zip") returned 4 [0055.099] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0055.099] lstrlenW (lpString=".rar") returned 4 [0055.099] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0055.099] lstrlenW (lpString=".bz2") returned 4 [0055.099] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0055.099] lstrlenW (lpString=".7z") returned 3 [0055.099] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0055.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.099] lstrlenW (lpString=".dbf") returned 4 [0055.099] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0055.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.099] lstrlenW (lpString=".1cd") returned 4 [0055.099] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0055.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.099] lstrlenW (lpString=".jpg") returned 4 [0055.099] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0055.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.099] lstrlenW (lpString=".doc") returned 4 [0055.099] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0055.099] lstrlenW (lpString=".docx") returned 5 [0055.099] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0055.099] lstrlenW (lpString=".pdf") returned 4 [0055.100] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0055.100] lstrlenW (lpString=".xls") returned 4 [0055.100] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0055.100] lstrlenW (lpString=".xlsx") returned 5 [0055.100] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0055.100] lstrlenW (lpString=".ppt") returned 4 [0055.100] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0055.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.100] lstrlenW (lpString=".zip") returned 4 [0055.100] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0055.100] lstrlenW (lpString=".rar") returned 4 [0055.100] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0055.100] lstrlenW (lpString=".bz2") returned 4 [0055.100] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0055.100] lstrlenW (lpString=".7z") returned 3 [0055.100] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0055.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.100] lstrlenW (lpString=".dbf") returned 4 [0055.100] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0055.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.100] lstrlenW (lpString=".1cd") returned 4 [0055.100] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0055.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0055.100] lstrlenW (lpString=".jpg") returned 4 [0055.100] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0055.101] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0055.101] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0055.101] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0055.138] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=36233052) returned 1 [0055.138] CloseHandle (hObject=0x228) returned 1 [0055.138] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0055.139] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0055.139] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0055.140] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0055.140] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0055.140] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.140] ReadFile (in: hFile=0x228, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.152] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.152] ReadFile (in: hFile=0x228, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.168] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0055.168] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.169] ReadFile (in: hFile=0x228, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.521] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.521] WriteFile (in: hFile=0x228, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0055.607] SetEndOfFile (hFile=0x228) returned 1 [0055.607] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fc60d8 [0055.816] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.816] WriteFile (in: hFile=0x228, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.817] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.817] WriteFile (in: hFile=0x228, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.818] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.818] WriteFile (in: hFile=0x228, lpBuffer=0x3fc60d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc60d8*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.821] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fc60d8 | out: hHeap=0x500000) returned 1 [0055.821] CloseHandle (hObject=0x228) returned 1 [0055.821] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0055.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.822] lstrlenW (lpString=".doc") returned 4 [0055.822] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0055.822] lstrlenW (lpString=".docx") returned 5 [0055.822] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0055.822] lstrlenW (lpString=".pdf") returned 4 [0055.822] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0055.822] lstrlenW (lpString=".xls") returned 4 [0055.822] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0055.822] lstrlenW (lpString=".xlsx") returned 5 [0055.822] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0055.822] lstrlenW (lpString=".ppt") returned 4 [0055.822] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0055.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.822] lstrlenW (lpString=".zip") returned 4 [0055.822] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0055.822] lstrlenW (lpString=".rar") returned 4 [0055.822] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0055.822] lstrlenW (lpString=".bz2") returned 4 [0055.822] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0055.822] lstrlenW (lpString=".7z") returned 3 [0055.822] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0055.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.822] lstrlenW (lpString=".dbf") returned 4 [0055.822] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0055.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.823] lstrlenW (lpString=".1cd") returned 4 [0055.823] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0055.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.823] lstrlenW (lpString=".jpg") returned 4 [0055.823] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0055.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.823] lstrlenW (lpString=".doc") returned 4 [0055.823] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0055.823] lstrlenW (lpString=".docx") returned 5 [0055.823] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0055.823] lstrlenW (lpString=".pdf") returned 4 [0055.823] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0055.823] lstrlenW (lpString=".xls") returned 4 [0055.823] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0055.823] lstrlenW (lpString=".xlsx") returned 5 [0055.823] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0055.823] lstrlenW (lpString=".ppt") returned 4 [0055.823] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0055.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.824] lstrlenW (lpString=".zip") returned 4 [0055.824] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0055.824] lstrlenW (lpString=".rar") returned 4 [0055.824] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0055.824] lstrlenW (lpString=".bz2") returned 4 [0055.824] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0055.824] lstrlenW (lpString=".7z") returned 3 [0055.824] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0055.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.824] lstrlenW (lpString=".dbf") returned 4 [0055.824] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0055.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.824] lstrlenW (lpString=".1cd") returned 4 [0055.825] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0055.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0055.825] lstrlenW (lpString=".jpg") returned 4 [0055.825] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0055.825] lstrcmpiW (lpString1=".cab", lpString2=".NcOv") returned -1 [0055.825] lstrlenW (lpString="VisiorWW.cab") returned 12 [0055.825] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0056.221] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=195011319) returned 1 [0056.221] CloseHandle (hObject=0x208) returned 1 [0056.221] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab")) returned 0x2020 [0056.221] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0056.225] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0056.261] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0056.261] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0056.262] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.262] ReadFile (in: hFile=0x208, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.272] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.272] ReadFile (in: hFile=0x208, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.280] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0056.280] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.280] ReadFile (in: hFile=0x208, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.300] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.300] WriteFile (in: hFile=0x208, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0056.530] SetEndOfFile (hFile=0x208) returned 1 [0056.673] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3f860d0 [0056.673] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.673] WriteFile (in: hFile=0x208, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.674] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.674] WriteFile (in: hFile=0x208, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.676] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.676] WriteFile (in: hFile=0x208, lpBuffer=0x3f860d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f860d0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.679] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f860d0 | out: hHeap=0x500000) returned 1 [0056.679] CloseHandle (hObject=0x208) returned 1 [0056.679] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x2020) returned 1 [0056.679] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.679] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.679] lstrlenW (lpString=".doc") returned 4 [0056.679] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0056.679] lstrlenW (lpString=".docx") returned 5 [0056.679] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0056.679] lstrlenW (lpString=".pdf") returned 4 [0056.679] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0056.679] lstrlenW (lpString=".xls") returned 4 [0056.679] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0056.679] lstrlenW (lpString=".xlsx") returned 5 [0056.679] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0056.679] lstrlenW (lpString=".ppt") returned 4 [0056.680] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0056.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.680] lstrlenW (lpString=".zip") returned 4 [0056.680] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0056.680] lstrlenW (lpString=".rar") returned 4 [0056.680] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0056.680] lstrlenW (lpString=".bz2") returned 4 [0056.680] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0056.680] lstrlenW (lpString=".7z") returned 3 [0056.680] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0056.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.680] lstrlenW (lpString=".dbf") returned 4 [0056.680] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0056.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.680] lstrlenW (lpString=".1cd") returned 4 [0056.680] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0056.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.680] lstrlenW (lpString=".jpg") returned 4 [0056.680] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0056.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.680] lstrlenW (lpString=".doc") returned 4 [0056.680] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0056.680] lstrlenW (lpString=".docx") returned 5 [0056.680] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0056.680] lstrlenW (lpString=".pdf") returned 4 [0056.680] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0056.681] lstrlenW (lpString=".xls") returned 4 [0056.681] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0056.681] lstrlenW (lpString=".xlsx") returned 5 [0056.681] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0056.681] lstrlenW (lpString=".ppt") returned 4 [0056.681] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0056.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.681] lstrlenW (lpString=".zip") returned 4 [0056.681] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0056.681] lstrlenW (lpString=".rar") returned 4 [0056.681] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0056.681] lstrlenW (lpString=".bz2") returned 4 [0056.681] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0056.681] lstrlenW (lpString=".7z") returned 3 [0056.681] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0056.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.681] lstrlenW (lpString=".dbf") returned 4 [0056.681] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0056.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.681] lstrlenW (lpString=".1cd") returned 4 [0056.681] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0056.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0056.681] lstrlenW (lpString=".jpg") returned 4 [0056.681] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0056.682] lstrcmpiW (lpString1=".EXE", lpString2=".NcOv") returned -1 [0056.682] lstrlenW (lpString="DWTRIG20.EXE") returned 12 [0056.682] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.901] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=629664) returned 1 [0057.901] CloseHandle (hObject=0x208) returned 1 [0057.901] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 0x20 [0057.901] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0057.901] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.901] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.901] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.901] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0058.111] GetLastError () returned 0x0 [0058.111] ReadFile (in: hFile=0x208, lpBuffer=0x3da0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fed4, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesRead=0x371fed4*=0x99ba0, lpOverlapped=0x0) returned 1 [0058.945] WriteFile (in: hFile=0x20c, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0x99bb0, lpNumberOfBytesWritten=0x371fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fc9c*=0x99bb0, lpOverlapped=0x0) returned 1 [0059.229] ReadFile (in: hFile=0x208, lpBuffer=0x3da0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fed4, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesRead=0x371fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.229] WriteFile (in: hFile=0x20c, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.229] SetEndOfFile (hFile=0x20c) returned 1 [0059.229] CloseHandle (hObject=0x20c) returned 1 [0059.230] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.230] SetEndOfFile (hFile=0x208) returned 1 [0059.237] CloseHandle (hObject=0x208) returned 1 [0059.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0059.237] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 1 [0059.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.238] lstrlenW (lpString=".doc") returned 4 [0059.238] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0059.238] lstrlenW (lpString=".docx") returned 5 [0059.238] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0059.238] lstrlenW (lpString=".pdf") returned 4 [0059.238] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0059.238] lstrlenW (lpString=".xls") returned 4 [0059.238] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0059.238] lstrlenW (lpString=".xlsx") returned 5 [0059.238] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0059.238] lstrlenW (lpString=".ppt") returned 4 [0059.238] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0059.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.238] lstrlenW (lpString=".zip") returned 4 [0059.238] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0059.238] lstrlenW (lpString=".rar") returned 4 [0059.238] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0059.238] lstrlenW (lpString=".bz2") returned 4 [0059.238] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0059.238] lstrlenW (lpString=".7z") returned 3 [0059.238] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0059.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.238] lstrlenW (lpString=".dbf") returned 4 [0059.239] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0059.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.239] lstrlenW (lpString=".1cd") returned 4 [0059.239] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0059.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.239] lstrlenW (lpString=".jpg") returned 4 [0059.239] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0059.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.239] lstrlenW (lpString=".doc") returned 4 [0059.239] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0059.239] lstrlenW (lpString=".docx") returned 5 [0059.239] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0059.239] lstrlenW (lpString=".pdf") returned 4 [0059.239] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0059.239] lstrlenW (lpString=".xls") returned 4 [0059.239] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0059.239] lstrlenW (lpString=".xlsx") returned 5 [0059.239] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0059.239] lstrlenW (lpString=".ppt") returned 4 [0059.239] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0059.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.239] lstrlenW (lpString=".zip") returned 4 [0059.239] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0059.239] lstrlenW (lpString=".rar") returned 4 [0059.239] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0059.240] lstrlenW (lpString=".bz2") returned 4 [0059.240] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0059.240] lstrlenW (lpString=".7z") returned 3 [0059.240] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0059.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.240] lstrlenW (lpString=".dbf") returned 4 [0059.430] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0059.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.430] lstrlenW (lpString=".1cd") returned 4 [0059.430] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0059.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0059.430] lstrlenW (lpString=".jpg") returned 4 [0059.430] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0059.431] lstrcmpiW (lpString1=".DLL", lpString2=".NcOv") returned -1 [0059.431] lstrlenW (lpString="VISFILT.DLL") returned 11 [0059.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0060.583] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x371ff1c | out: lpFileSize=0x371ff1c*=2124664) returned 1 [0060.583] CloseHandle (hObject=0x1f4) returned 1 [0060.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll")) returned 0x20 [0060.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 0xffffffff [0060.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[ncov2020@aol.com].ncov")) returned 1 [0060.584] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[ncov2020@aol.com].NcOv" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[ncov2020@aol.com].ncov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0060.584] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0x0) returned 1 [0060.584] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0060.584] ReadFile (in: hFile=0x1f4, lpBuffer=0x3da0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3da0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0060.588] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0060.589] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0060.598] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0060.598] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x371fc2c | out: lpNewFilePointer=0x0) returned 1 [0060.598] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x371fc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.001] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.001] WriteFile (in: hFile=0x1f4, lpBuffer=0x3da0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x371fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3da0020*, lpNumberOfBytesWritten=0x371fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0063.481] SetEndOfFile (hFile=0x1f4) returned 1 [0063.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40000) returned 0x3fa60e0 [0063.511] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0063.512] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0063.513] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0063.514] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0063.517] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x371fc7c | out: lpNewFilePointer=0x0) returned 1 [0063.517] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa60e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa60e0*, lpNumberOfBytesWritten=0x371fc88*=0x40000, lpOverlapped=0x0) returned 1 [0063.523] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60e0 | out: hHeap=0x500000) returned 1 [0063.523] CloseHandle (hObject=0x1f4) returned 1 [0063.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[ncov2020@aol.com].NcOv", dwFileAttributes=0x20) returned 1 [0063.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.524] lstrlenW (lpString=".doc") returned 4 [0063.524] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0063.524] lstrlenW (lpString=".docx") returned 5 [0063.524] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0063.524] lstrlenW (lpString=".pdf") returned 4 [0063.524] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0063.524] lstrlenW (lpString=".xls") returned 4 [0063.524] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0063.524] lstrlenW (lpString=".xlsx") returned 5 [0063.524] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0063.524] lstrlenW (lpString=".ppt") returned 4 [0063.524] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0063.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.524] lstrlenW (lpString=".zip") returned 4 [0063.524] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0063.524] lstrlenW (lpString=".rar") returned 4 [0063.524] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0063.524] lstrlenW (lpString=".bz2") returned 4 [0063.524] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0063.524] lstrlenW (lpString=".7z") returned 3 [0063.524] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0063.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.525] lstrlenW (lpString=".dbf") returned 4 [0063.525] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0063.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.525] lstrlenW (lpString=".1cd") returned 4 [0063.525] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0063.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.525] lstrlenW (lpString=".jpg") returned 4 [0063.525] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0063.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.525] lstrlenW (lpString=".doc") returned 4 [0063.525] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0063.525] lstrlenW (lpString=".docx") returned 5 [0063.525] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0063.525] lstrlenW (lpString=".pdf") returned 4 [0063.525] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0063.525] lstrlenW (lpString=".xls") returned 4 [0063.525] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0063.525] lstrlenW (lpString=".xlsx") returned 5 [0063.525] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0063.525] lstrlenW (lpString=".ppt") returned 4 [0063.525] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0063.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.525] lstrlenW (lpString=".zip") returned 4 [0063.525] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0063.526] lstrlenW (lpString=".rar") returned 4 [0063.526] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0063.526] lstrlenW (lpString=".bz2") returned 4 [0063.526] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0063.526] lstrlenW (lpString=".7z") returned 3 [0063.526] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0063.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.526] lstrlenW (lpString=".dbf") returned 4 [0063.526] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0063.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.526] lstrlenW (lpString=".1cd") returned 4 [0063.526] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0063.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0063.526] lstrlenW (lpString=".jpg") returned 4 [0063.526] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0063.526] lstrcmpiW (lpString1=".FLT", lpString2=".NcOv") returned -1 [0063.526] lstrlenW (lpString="EPSIMP32.FLT") returned 12 [0063.526] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 19 os_tid = 0xb3c [0037.783] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x37f10b8 [0037.783] lstrlenW (lpString="C:") returned 2 [0037.783] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3a6fd00 | out: lpFindFileData=0x3a6fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x5f60b8 [0037.783] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0037.783] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0037.783] lstrlenW (lpString="$Recycle.Bin") returned 12 [0037.783] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0037.783] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x38010c0 [0037.784] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0037.784] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3a6fa84 | out: lpFindFileData=0x3a6fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5f60f8 [0037.784] FindNextFileW (in: hFindFile=0x5f60f8, lpFindFileData=0x3a6fa84 | out: lpFindFileData=0x3a6fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.784] FindNextFileW (in: hFindFile=0x5f60f8, lpFindFileData=0x3a6fa84 | out: lpFindFileData=0x3a6fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8e6b7680, ftLastAccessTime.dwHighDateTime=0x1d5eb2e, ftLastWriteTime.dwLowDateTime=0x8e6b7680, ftLastWriteTime.dwHighDateTime=0x1d5eb2e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0037.784] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0037.784] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0037.784] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0037.784] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0037.784] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3eb0048 [0037.799] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0037.799] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3a6f808 | out: lpFindFileData=0x3a6f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8e6b7680, ftLastAccessTime.dwHighDateTime=0x1d5eb2e, ftLastWriteTime.dwLowDateTime=0x8e6dd7e0, ftLastWriteTime.dwHighDateTime=0x1d5eb2e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5f6138 [0037.800] FindNextFileW (in: hFindFile=0x5f6138, lpFindFileData=0x3a6f808 | out: lpFindFileData=0x3a6f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8e6b7680, ftLastAccessTime.dwHighDateTime=0x1d5eb2e, ftLastWriteTime.dwLowDateTime=0x8e6dd7e0, ftLastWriteTime.dwHighDateTime=0x1d5eb2e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.800] FindNextFileW (in: hFindFile=0x5f6138, lpFindFileData=0x3a6f808 | out: lpFindFileData=0x3a6f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8e6b7680, ftCreationTime.dwHighDateTime=0x1d5eb2e, ftLastAccessTime.dwLowDateTime=0x8e6b7680, ftLastAccessTime.dwHighDateTime=0x1d5eb2e, ftLastWriteTime.dwLowDateTime=0x8e6dd7e0, ftLastWriteTime.dwHighDateTime=0x1d5eb2e, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv", cAlternateFileName="DESKTO~1.NCO")) returned 1 [0037.800] lstrlenW (lpString="desktop.ini.id-9C354B42.[ncov2020@aol.com].NcOv") returned 47 [0037.800] lstrlenW (lpString=".1cd") returned 4 [0037.800] lstrcmpiW (lpString1=".1cd", lpString2="NcOv") returned -1 [0037.800] lstrlenW (lpString=".3ds") returned 4 [0037.800] lstrcmpiW (lpString1=".3ds", lpString2="NcOv") returned -1 [0037.800] lstrlenW (lpString=".3fr") returned 4 [0037.800] lstrcmpiW (lpString1=".3fr", lpString2="NcOv") returned -1 [0037.800] lstrlenW (lpString=".3g2") returned 4 [0037.800] lstrcmpiW (lpString1=".3g2", lpString2="NcOv") returned -1 [0037.800] lstrlenW (lpString=".3gp") returned 4 [0037.800] lstrcmpiW (lpString1=".3gp", lpString2="NcOv") returned -1 [0037.800] lstrlenW (lpString=".7z") returned 3 [0037.800] lstrcmpiW (lpString1=".7z", lpString2="cOv") returned -1 [0037.800] lstrlenW (lpString=".accda") returned 6 [0037.800] lstrcmpiW (lpString1=".accda", lpString2="].NcOv") returned -1 [0037.800] lstrlenW (lpString=".accdb") returned 6 [0037.800] lstrcmpiW (lpString1=".accdb", lpString2="].NcOv") returned -1 [0037.800] lstrlenW (lpString=".accdc") returned 6 [0037.800] lstrcmpiW (lpString1=".accdc", lpString2="].NcOv") returned -1 [0037.800] lstrlenW (lpString=".accde") returned 6 [0037.800] lstrcmpiW (lpString1=".accde", lpString2="].NcOv") returned -1 [0037.800] lstrlenW (lpString=".accdt") returned 6 [0037.800] lstrcmpiW (lpString1=".accdt", lpString2="].NcOv") returned -1 [0037.800] lstrlenW (lpString=".accdw") returned 6 [0037.800] lstrcmpiW (lpString1=".accdw", lpString2="].NcOv") returned -1 [0037.800] lstrlenW (lpString=".adb") returned 4 [0037.800] lstrcmpiW (lpString1=".adb", lpString2="NcOv") returned -1 [0037.800] lstrlenW (lpString=".adp") returned 4 [0037.800] lstrcmpiW (lpString1=".adp", lpString2="NcOv") returned -1 [0037.800] lstrlenW (lpString=".ai") returned 3 [0037.801] lstrcmpiW (lpString1=".ai", lpString2="cOv") returned -1 [0037.801] lstrlenW (lpString=".ai3") returned 4 [0037.801] lstrcmpiW (lpString1=".ai3", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".ai4") returned 4 [0037.801] lstrcmpiW (lpString1=".ai4", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".ai5") returned 4 [0037.801] lstrcmpiW (lpString1=".ai5", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".ai6") returned 4 [0037.801] lstrcmpiW (lpString1=".ai6", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".ai7") returned 4 [0037.801] lstrcmpiW (lpString1=".ai7", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".ai8") returned 4 [0037.801] lstrcmpiW (lpString1=".ai8", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".anim") returned 5 [0037.801] lstrcmpiW (lpString1=".anim", lpString2=".NcOv") returned -1 [0037.801] lstrlenW (lpString=".arw") returned 4 [0037.801] lstrcmpiW (lpString1=".arw", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".as") returned 3 [0037.801] lstrcmpiW (lpString1=".as", lpString2="cOv") returned -1 [0037.801] lstrlenW (lpString=".asa") returned 4 [0037.801] lstrcmpiW (lpString1=".asa", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".asc") returned 4 [0037.801] lstrcmpiW (lpString1=".asc", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".ascx") returned 5 [0037.801] lstrcmpiW (lpString1=".ascx", lpString2=".NcOv") returned -1 [0037.801] lstrlenW (lpString=".asm") returned 4 [0037.801] lstrcmpiW (lpString1=".asm", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".asmx") returned 5 [0037.801] lstrcmpiW (lpString1=".asmx", lpString2=".NcOv") returned -1 [0037.801] lstrlenW (lpString=".asp") returned 4 [0037.801] lstrcmpiW (lpString1=".asp", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".aspx") returned 5 [0037.801] lstrcmpiW (lpString1=".aspx", lpString2=".NcOv") returned -1 [0037.801] lstrlenW (lpString=".asr") returned 4 [0037.801] lstrcmpiW (lpString1=".asr", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".asx") returned 4 [0037.801] lstrcmpiW (lpString1=".asx", lpString2="NcOv") returned -1 [0037.801] lstrlenW (lpString=".avi") returned 4 [0037.801] lstrcmpiW (lpString1=".avi", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".avs") returned 4 [0037.802] lstrcmpiW (lpString1=".avs", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".backup") returned 7 [0037.802] lstrcmpiW (lpString1=".backup", lpString2="m].NcOv") returned -1 [0037.802] lstrlenW (lpString=".bak") returned 4 [0037.802] lstrcmpiW (lpString1=".bak", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".bay") returned 4 [0037.802] lstrcmpiW (lpString1=".bay", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".bd") returned 3 [0037.802] lstrcmpiW (lpString1=".bd", lpString2="cOv") returned -1 [0037.802] lstrlenW (lpString=".bin") returned 4 [0037.802] lstrcmpiW (lpString1=".bin", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".bmp") returned 4 [0037.802] lstrcmpiW (lpString1=".bmp", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".bz2") returned 4 [0037.802] lstrcmpiW (lpString1=".bz2", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".c") returned 2 [0037.802] lstrcmpiW (lpString1=".c", lpString2="Ov") returned -1 [0037.802] lstrlenW (lpString=".cdr") returned 4 [0037.802] lstrcmpiW (lpString1=".cdr", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".cer") returned 4 [0037.802] lstrcmpiW (lpString1=".cer", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".cf") returned 3 [0037.802] lstrcmpiW (lpString1=".cf", lpString2="cOv") returned -1 [0037.802] lstrlenW (lpString=".cfc") returned 4 [0037.802] lstrcmpiW (lpString1=".cfc", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".cfm") returned 4 [0037.802] lstrcmpiW (lpString1=".cfm", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".cfml") returned 5 [0037.802] lstrcmpiW (lpString1=".cfml", lpString2=".NcOv") returned -1 [0037.802] lstrlenW (lpString=".cfu") returned 4 [0037.802] lstrcmpiW (lpString1=".cfu", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".chm") returned 4 [0037.802] lstrcmpiW (lpString1=".chm", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".cin") returned 4 [0037.802] lstrcmpiW (lpString1=".cin", lpString2="NcOv") returned -1 [0037.802] lstrlenW (lpString=".class") returned 6 [0037.802] lstrcmpiW (lpString1=".class", lpString2="].NcOv") returned -1 [0037.802] lstrlenW (lpString=".clx") returned 4 [0037.803] lstrcmpiW (lpString1=".clx", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".config") returned 7 [0037.803] lstrcmpiW (lpString1=".config", lpString2="m].NcOv") returned -1 [0037.803] lstrlenW (lpString=".cpp") returned 4 [0037.803] lstrcmpiW (lpString1=".cpp", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".cr2") returned 4 [0037.803] lstrcmpiW (lpString1=".cr2", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".crt") returned 4 [0037.803] lstrcmpiW (lpString1=".crt", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".crw") returned 4 [0037.803] lstrcmpiW (lpString1=".crw", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".cs") returned 3 [0037.803] lstrcmpiW (lpString1=".cs", lpString2="cOv") returned -1 [0037.803] lstrlenW (lpString=".css") returned 4 [0037.803] lstrcmpiW (lpString1=".css", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".csv") returned 4 [0037.803] lstrcmpiW (lpString1=".csv", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".cub") returned 4 [0037.803] lstrcmpiW (lpString1=".cub", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".dae") returned 4 [0037.803] lstrcmpiW (lpString1=".dae", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".dat") returned 4 [0037.803] lstrcmpiW (lpString1=".dat", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".db") returned 3 [0037.803] lstrcmpiW (lpString1=".db", lpString2="cOv") returned -1 [0037.803] lstrlenW (lpString=".dbf") returned 4 [0037.803] lstrcmpiW (lpString1=".dbf", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".dbx") returned 4 [0037.803] lstrcmpiW (lpString1=".dbx", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".dc3") returned 4 [0037.803] lstrcmpiW (lpString1=".dc3", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".dcm") returned 4 [0037.803] lstrcmpiW (lpString1=".dcm", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".dcr") returned 4 [0037.803] lstrcmpiW (lpString1=".dcr", lpString2="NcOv") returned -1 [0037.803] lstrlenW (lpString=".der") returned 4 [0037.803] lstrcmpiW (lpString1=".der", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dib") returned 4 [0037.804] lstrcmpiW (lpString1=".dib", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dic") returned 4 [0037.804] lstrcmpiW (lpString1=".dic", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dif") returned 4 [0037.804] lstrcmpiW (lpString1=".dif", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".divx") returned 5 [0037.804] lstrcmpiW (lpString1=".divx", lpString2=".NcOv") returned -1 [0037.804] lstrlenW (lpString=".djvu") returned 5 [0037.804] lstrcmpiW (lpString1=".djvu", lpString2=".NcOv") returned -1 [0037.804] lstrlenW (lpString=".dng") returned 4 [0037.804] lstrcmpiW (lpString1=".dng", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".doc") returned 4 [0037.804] lstrcmpiW (lpString1=".doc", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".docm") returned 5 [0037.804] lstrcmpiW (lpString1=".docm", lpString2=".NcOv") returned -1 [0037.804] lstrlenW (lpString=".docx") returned 5 [0037.804] lstrcmpiW (lpString1=".docx", lpString2=".NcOv") returned -1 [0037.804] lstrlenW (lpString=".dot") returned 4 [0037.804] lstrcmpiW (lpString1=".dot", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dotm") returned 5 [0037.804] lstrcmpiW (lpString1=".dotm", lpString2=".NcOv") returned -1 [0037.804] lstrlenW (lpString=".dotx") returned 5 [0037.804] lstrcmpiW (lpString1=".dotx", lpString2=".NcOv") returned -1 [0037.804] lstrlenW (lpString=".dpx") returned 4 [0037.804] lstrcmpiW (lpString1=".dpx", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dqy") returned 4 [0037.804] lstrcmpiW (lpString1=".dqy", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dsn") returned 4 [0037.804] lstrcmpiW (lpString1=".dsn", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dt") returned 3 [0037.804] lstrcmpiW (lpString1=".dt", lpString2="cOv") returned -1 [0037.804] lstrlenW (lpString=".dtd") returned 4 [0037.804] lstrcmpiW (lpString1=".dtd", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dwg") returned 4 [0037.804] lstrcmpiW (lpString1=".dwg", lpString2="NcOv") returned -1 [0037.804] lstrlenW (lpString=".dwt") returned 4 [0037.804] lstrcmpiW (lpString1=".dwt", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".dx") returned 3 [0037.805] lstrcmpiW (lpString1=".dx", lpString2="cOv") returned -1 [0037.805] lstrlenW (lpString=".dxf") returned 4 [0037.805] lstrcmpiW (lpString1=".dxf", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".edml") returned 5 [0037.805] lstrcmpiW (lpString1=".edml", lpString2=".NcOv") returned -1 [0037.805] lstrlenW (lpString=".efd") returned 4 [0037.805] lstrcmpiW (lpString1=".efd", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".elf") returned 4 [0037.805] lstrcmpiW (lpString1=".elf", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".emf") returned 4 [0037.805] lstrcmpiW (lpString1=".emf", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".emz") returned 4 [0037.805] lstrcmpiW (lpString1=".emz", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".epf") returned 4 [0037.805] lstrcmpiW (lpString1=".epf", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".eps") returned 4 [0037.805] lstrcmpiW (lpString1=".eps", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".epsf") returned 5 [0037.805] lstrcmpiW (lpString1=".epsf", lpString2=".NcOv") returned -1 [0037.805] lstrlenW (lpString=".epsp") returned 5 [0037.805] lstrcmpiW (lpString1=".epsp", lpString2=".NcOv") returned -1 [0037.805] lstrlenW (lpString=".erf") returned 4 [0037.805] lstrcmpiW (lpString1=".erf", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".exr") returned 4 [0037.805] lstrcmpiW (lpString1=".exr", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".f4v") returned 4 [0037.805] lstrcmpiW (lpString1=".f4v", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".fido") returned 5 [0037.805] lstrcmpiW (lpString1=".fido", lpString2=".NcOv") returned -1 [0037.805] lstrlenW (lpString=".flm") returned 4 [0037.805] lstrcmpiW (lpString1=".flm", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".flv") returned 4 [0037.805] lstrcmpiW (lpString1=".flv", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".frm") returned 4 [0037.805] lstrcmpiW (lpString1=".frm", lpString2="NcOv") returned -1 [0037.805] lstrlenW (lpString=".fxg") returned 4 [0037.805] lstrcmpiW (lpString1=".fxg", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".geo") returned 4 [0037.806] lstrcmpiW (lpString1=".geo", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".gif") returned 4 [0037.806] lstrcmpiW (lpString1=".gif", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".grs") returned 4 [0037.806] lstrcmpiW (lpString1=".grs", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".gz") returned 3 [0037.806] lstrcmpiW (lpString1=".gz", lpString2="cOv") returned -1 [0037.806] lstrlenW (lpString=".h") returned 2 [0037.806] lstrcmpiW (lpString1=".h", lpString2="Ov") returned -1 [0037.806] lstrlenW (lpString=".hdr") returned 4 [0037.806] lstrcmpiW (lpString1=".hdr", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".hpp") returned 4 [0037.806] lstrcmpiW (lpString1=".hpp", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".hta") returned 4 [0037.806] lstrcmpiW (lpString1=".hta", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".htc") returned 4 [0037.806] lstrcmpiW (lpString1=".htc", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".htm") returned 4 [0037.806] lstrcmpiW (lpString1=".htm", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".html") returned 5 [0037.806] lstrcmpiW (lpString1=".html", lpString2=".NcOv") returned -1 [0037.806] lstrlenW (lpString=".icb") returned 4 [0037.806] lstrcmpiW (lpString1=".icb", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".ics") returned 4 [0037.806] lstrcmpiW (lpString1=".ics", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".iff") returned 4 [0037.806] lstrcmpiW (lpString1=".iff", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".inc") returned 4 [0037.806] lstrcmpiW (lpString1=".inc", lpString2="NcOv") returned -1 [0037.806] lstrlenW (lpString=".indd") returned 5 [0037.806] lstrcmpiW (lpString1=".indd", lpString2=".NcOv") returned -1 [0037.807] lstrlenW (lpString=".ini") returned 4 [0037.807] lstrcmpiW (lpString1=".ini", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".iqy") returned 4 [0037.807] lstrcmpiW (lpString1=".iqy", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".j2c") returned 4 [0037.807] lstrcmpiW (lpString1=".j2c", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".j2k") returned 4 [0037.807] lstrcmpiW (lpString1=".j2k", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".java") returned 5 [0037.807] lstrcmpiW (lpString1=".java", lpString2=".NcOv") returned -1 [0037.807] lstrlenW (lpString=".jp2") returned 4 [0037.807] lstrcmpiW (lpString1=".jp2", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".jpc") returned 4 [0037.807] lstrcmpiW (lpString1=".jpc", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".jpe") returned 4 [0037.807] lstrcmpiW (lpString1=".jpe", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".jpeg") returned 5 [0037.807] lstrcmpiW (lpString1=".jpeg", lpString2=".NcOv") returned -1 [0037.807] lstrlenW (lpString=".jpf") returned 4 [0037.807] lstrcmpiW (lpString1=".jpf", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".jpg") returned 4 [0037.807] lstrcmpiW (lpString1=".jpg", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".jpx") returned 4 [0037.807] lstrcmpiW (lpString1=".jpx", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".js") returned 3 [0037.807] lstrcmpiW (lpString1=".js", lpString2="cOv") returned -1 [0037.807] lstrlenW (lpString=".jsf") returned 4 [0037.807] lstrcmpiW (lpString1=".jsf", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".json") returned 5 [0037.807] lstrcmpiW (lpString1=".json", lpString2=".NcOv") returned -1 [0037.807] lstrlenW (lpString=".jsp") returned 4 [0037.807] lstrcmpiW (lpString1=".jsp", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".kdc") returned 4 [0037.807] lstrcmpiW (lpString1=".kdc", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".kmz") returned 4 [0037.807] lstrcmpiW (lpString1=".kmz", lpString2="NcOv") returned -1 [0037.807] lstrlenW (lpString=".kwm") returned 4 [0037.808] lstrcmpiW (lpString1=".kwm", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".lasso") returned 6 [0037.808] lstrcmpiW (lpString1=".lasso", lpString2="].NcOv") returned -1 [0037.808] lstrlenW (lpString=".lbi") returned 4 [0037.808] lstrcmpiW (lpString1=".lbi", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".lgf") returned 4 [0037.808] lstrcmpiW (lpString1=".lgf", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".lgp") returned 4 [0037.808] lstrcmpiW (lpString1=".lgp", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".log") returned 4 [0037.808] lstrcmpiW (lpString1=".log", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".m1v") returned 4 [0037.808] lstrcmpiW (lpString1=".m1v", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".m4a") returned 4 [0037.808] lstrcmpiW (lpString1=".m4a", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".m4v") returned 4 [0037.808] lstrcmpiW (lpString1=".m4v", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".max") returned 4 [0037.808] lstrcmpiW (lpString1=".max", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".md") returned 3 [0037.808] lstrcmpiW (lpString1=".md", lpString2="cOv") returned -1 [0037.808] lstrlenW (lpString=".mda") returned 4 [0037.808] lstrcmpiW (lpString1=".mda", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".mdb") returned 4 [0037.808] lstrcmpiW (lpString1=".mdb", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".mde") returned 4 [0037.808] lstrcmpiW (lpString1=".mde", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".mdf") returned 4 [0037.808] lstrcmpiW (lpString1=".mdf", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".mdw") returned 4 [0037.808] lstrcmpiW (lpString1=".mdw", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".mef") returned 4 [0037.808] lstrcmpiW (lpString1=".mef", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".mft") returned 4 [0037.808] lstrcmpiW (lpString1=".mft", lpString2="NcOv") returned -1 [0037.808] lstrlenW (lpString=".mfw") returned 4 [0037.808] lstrcmpiW (lpString1=".mfw", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mht") returned 4 [0037.809] lstrcmpiW (lpString1=".mht", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mhtml") returned 6 [0037.809] lstrcmpiW (lpString1=".mhtml", lpString2="].NcOv") returned -1 [0037.809] lstrlenW (lpString=".mka") returned 4 [0037.809] lstrcmpiW (lpString1=".mka", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mkidx") returned 6 [0037.809] lstrcmpiW (lpString1=".mkidx", lpString2="].NcOv") returned -1 [0037.809] lstrlenW (lpString=".mkv") returned 4 [0037.809] lstrcmpiW (lpString1=".mkv", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mos") returned 4 [0037.809] lstrcmpiW (lpString1=".mos", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mov") returned 4 [0037.809] lstrcmpiW (lpString1=".mov", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mp3") returned 4 [0037.809] lstrcmpiW (lpString1=".mp3", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mp4") returned 4 [0037.809] lstrcmpiW (lpString1=".mp4", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mpeg") returned 5 [0037.809] lstrcmpiW (lpString1=".mpeg", lpString2=".NcOv") returned -1 [0037.809] lstrlenW (lpString=".mpg") returned 4 [0037.809] lstrcmpiW (lpString1=".mpg", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mpv") returned 4 [0037.809] lstrcmpiW (lpString1=".mpv", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mrw") returned 4 [0037.809] lstrcmpiW (lpString1=".mrw", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".msg") returned 4 [0037.809] lstrcmpiW (lpString1=".msg", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".mxl") returned 4 [0037.809] lstrcmpiW (lpString1=".mxl", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".myd") returned 4 [0037.809] lstrcmpiW (lpString1=".myd", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".myi") returned 4 [0037.809] lstrcmpiW (lpString1=".myi", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".nef") returned 4 [0037.809] lstrcmpiW (lpString1=".nef", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".nrw") returned 4 [0037.809] lstrcmpiW (lpString1=".nrw", lpString2="NcOv") returned -1 [0037.809] lstrlenW (lpString=".obj") returned 4 [0037.810] lstrcmpiW (lpString1=".obj", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".odb") returned 4 [0037.810] lstrcmpiW (lpString1=".odb", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".odc") returned 4 [0037.810] lstrcmpiW (lpString1=".odc", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".odm") returned 4 [0037.810] lstrcmpiW (lpString1=".odm", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".odp") returned 4 [0037.810] lstrcmpiW (lpString1=".odp", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".ods") returned 4 [0037.810] lstrcmpiW (lpString1=".ods", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".oft") returned 4 [0037.810] lstrcmpiW (lpString1=".oft", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".one") returned 4 [0037.810] lstrcmpiW (lpString1=".one", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".onepkg") returned 7 [0037.810] lstrcmpiW (lpString1=".onepkg", lpString2="m].NcOv") returned -1 [0037.810] lstrlenW (lpString=".onetoc2") returned 8 [0037.810] lstrcmpiW (lpString1=".onetoc2", lpString2="om].NcOv") returned -1 [0037.810] lstrlenW (lpString=".opt") returned 4 [0037.810] lstrcmpiW (lpString1=".opt", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".oqy") returned 4 [0037.810] lstrcmpiW (lpString1=".oqy", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".orf") returned 4 [0037.810] lstrcmpiW (lpString1=".orf", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".p12") returned 4 [0037.810] lstrcmpiW (lpString1=".p12", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".p7b") returned 4 [0037.810] lstrcmpiW (lpString1=".p7b", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".p7c") returned 4 [0037.810] lstrcmpiW (lpString1=".p7c", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".pam") returned 4 [0037.810] lstrcmpiW (lpString1=".pam", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".pbm") returned 4 [0037.810] lstrcmpiW (lpString1=".pbm", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".pct") returned 4 [0037.810] lstrcmpiW (lpString1=".pct", lpString2="NcOv") returned -1 [0037.810] lstrlenW (lpString=".pcx") returned 4 [0037.811] lstrcmpiW (lpString1=".pcx", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pdd") returned 4 [0037.811] lstrcmpiW (lpString1=".pdd", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pdf") returned 4 [0037.811] lstrcmpiW (lpString1=".pdf", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pdp") returned 4 [0037.811] lstrcmpiW (lpString1=".pdp", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pef") returned 4 [0037.811] lstrcmpiW (lpString1=".pef", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pem") returned 4 [0037.811] lstrcmpiW (lpString1=".pem", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pff") returned 4 [0037.811] lstrcmpiW (lpString1=".pff", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pfm") returned 4 [0037.811] lstrcmpiW (lpString1=".pfm", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pfx") returned 4 [0037.811] lstrcmpiW (lpString1=".pfx", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pgm") returned 4 [0037.811] lstrcmpiW (lpString1=".pgm", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".php") returned 4 [0037.811] lstrcmpiW (lpString1=".php", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".php3") returned 5 [0037.811] lstrcmpiW (lpString1=".php3", lpString2=".NcOv") returned 1 [0037.811] lstrlenW (lpString=".php4") returned 5 [0037.811] lstrcmpiW (lpString1=".php4", lpString2=".NcOv") returned 1 [0037.811] lstrlenW (lpString=".php5") returned 5 [0037.811] lstrcmpiW (lpString1=".php5", lpString2=".NcOv") returned 1 [0037.811] lstrlenW (lpString=".phtml") returned 6 [0037.811] lstrcmpiW (lpString1=".phtml", lpString2="].NcOv") returned -1 [0037.811] lstrlenW (lpString=".pict") returned 5 [0037.811] lstrcmpiW (lpString1=".pict", lpString2=".NcOv") returned 1 [0037.811] lstrlenW (lpString=".pl") returned 3 [0037.811] lstrcmpiW (lpString1=".pl", lpString2="cOv") returned -1 [0037.811] lstrlenW (lpString=".pls") returned 4 [0037.811] lstrcmpiW (lpString1=".pls", lpString2="NcOv") returned -1 [0037.811] lstrlenW (lpString=".pm") returned 3 [0037.811] lstrcmpiW (lpString1=".pm", lpString2="cOv") returned -1 [0037.812] lstrlenW (lpString=".png") returned 4 [0037.812] lstrcmpiW (lpString1=".png", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".pnm") returned 4 [0037.812] lstrcmpiW (lpString1=".pnm", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".pot") returned 4 [0037.812] lstrcmpiW (lpString1=".pot", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".potm") returned 5 [0037.812] lstrcmpiW (lpString1=".potm", lpString2=".NcOv") returned 1 [0037.812] lstrlenW (lpString=".potx") returned 5 [0037.812] lstrcmpiW (lpString1=".potx", lpString2=".NcOv") returned 1 [0037.812] lstrlenW (lpString=".ppa") returned 4 [0037.812] lstrcmpiW (lpString1=".ppa", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".ppam") returned 5 [0037.812] lstrcmpiW (lpString1=".ppam", lpString2=".NcOv") returned 1 [0037.812] lstrlenW (lpString=".ppm") returned 4 [0037.812] lstrcmpiW (lpString1=".ppm", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".pps") returned 4 [0037.812] lstrcmpiW (lpString1=".pps", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".ppsm") returned 5 [0037.812] lstrcmpiW (lpString1=".ppsm", lpString2=".NcOv") returned 1 [0037.812] lstrlenW (lpString=".ppt") returned 4 [0037.812] lstrcmpiW (lpString1=".ppt", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".pptm") returned 5 [0037.812] lstrcmpiW (lpString1=".pptm", lpString2=".NcOv") returned 1 [0037.812] lstrlenW (lpString=".pptx") returned 5 [0037.812] lstrcmpiW (lpString1=".pptx", lpString2=".NcOv") returned 1 [0037.812] lstrlenW (lpString=".prn") returned 4 [0037.812] lstrcmpiW (lpString1=".prn", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".ps") returned 3 [0037.812] lstrcmpiW (lpString1=".ps", lpString2="cOv") returned -1 [0037.812] lstrlenW (lpString=".psb") returned 4 [0037.812] lstrcmpiW (lpString1=".psb", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".psd") returned 4 [0037.812] lstrcmpiW (lpString1=".psd", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".pst") returned 4 [0037.812] lstrcmpiW (lpString1=".pst", lpString2="NcOv") returned -1 [0037.812] lstrlenW (lpString=".ptx") returned 4 [0037.813] lstrcmpiW (lpString1=".ptx", lpString2="NcOv") returned -1 [0037.813] lstrlenW (lpString=".pub") returned 4 [0037.813] lstrcmpiW (lpString1=".pub", lpString2="NcOv") returned -1 [0037.813] lstrlenW (lpString=".pwm") returned 4 [0037.813] lstrcmpiW (lpString1=".pwm", lpString2="NcOv") returned -1 [0041.269] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.270] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.270] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdad6ec00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdad6ec00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe58e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON.ELM", cAlternateFileName="")) returned 1 [0041.270] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.270] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.270] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0041.270] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.271] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.271] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc081900, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdc081900, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10fc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC.ELM", cAlternateFileName="")) returned 1 [0041.271] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.271] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.271] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS", cAlternateFileName="")) returned 1 [0041.271] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.271] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.271] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd394600, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd394600, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x189be, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.ELM", cAlternateFileName="")) returned 1 [0041.271] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.271] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.271] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0041.272] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.272] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.272] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32f2700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe32f2700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10db7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS.ELM", cAlternateFileName="")) returned 1 [0041.272] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.272] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.272] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0041.272] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.272] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.272] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c2ae00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5f775610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe6c2ae00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xc2ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM.ELM", cAlternateFileName="")) returned 1 [0041.272] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.272] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.273] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0041.273] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.273] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.273] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3db00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7f3db00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xda86, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT.ELM", cAlternateFileName="")) returned 1 [0041.273] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.273] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.273] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0041.273] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.273] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.273] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9250800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe9250800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xeafa, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI.ELM", cAlternateFileName="")) returned 1 [0041.273] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.274] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.274] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0041.274] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.274] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.274] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea563500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a61ad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xea563500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1a537, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE.ELM", cAlternateFileName="")) returned 1 [0041.274] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.274] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.274] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CANYON", cAlternateFileName="")) returned 1 [0041.274] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.274] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.274] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb876200, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51c2ab50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeb876200, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec9, dwReserved0=0x0, dwReserved1=0x0, cFileName="CANYON.ELM", cAlternateFileName="")) returned 1 [0041.275] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.275] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.275] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0041.275] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.275] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.275] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb88f00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x603362b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xecb88f00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe1ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAPSULES.ELM", cAlternateFileName="")) returned 1 [0041.275] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.275] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.275] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0041.275] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.275] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.275] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede9bc00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51c50cb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xede9bc00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xba44, dwReserved0=0x0, dwReserved1=0x0, cFileName="CASCADE.ELM", cAlternateFileName="")) returned 1 [0041.276] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.276] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.276] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0041.276] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.276] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.276] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf17d4300, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x6041aaf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf17d4300, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xd613, dwReserved0=0x0, dwReserved1=0x0, cFileName="COMPASS.ELM", cAlternateFileName="")) returned 1 [0041.276] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.276] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.276] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0041.276] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.276] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.276] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2ae7000, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2ae7000, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb1d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="CONCRETE.ELM", cAlternateFileName="")) returned 1 [0041.277] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.277] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.277] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0041.277] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.277] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.277] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf641f700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf641f700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x116dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEEPBLUE.ELM", cAlternateFileName="")) returned 1 [0041.277] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.277] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.277] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECHO", cAlternateFileName="")) returned 1 [0041.277] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.277] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.278] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a45100, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf8a45100, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb0ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECHO.ELM", cAlternateFileName="")) returned 1 [0041.278] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.278] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.278] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0041.278] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.278] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.278] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d57e00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51eb22b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9d57e00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1cf31, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECLIPSE.ELM", cAlternateFileName="")) returned 1 [0041.278] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.278] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.278] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDGE", cAlternateFileName="")) returned 1 [0041.278] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.279] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.279] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb06ab00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51f70990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfb06ab00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb8f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDGE.ELM", cAlternateFileName="")) returned 1 [0041.279] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.279] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.279] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0041.279] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.566] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.566] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc37d800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x52008f10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc37d800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x12dee, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVRGREEN.ELM", cAlternateFileName="")) returned 1 [0041.567] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.567] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.567] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0041.567] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.567] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.567] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd690500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd690500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x19539, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPEDITN.ELM", cAlternateFileName="")) returned 1 [0041.568] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.568] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ICE", cAlternateFileName="")) returned 1 [0041.568] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.569] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.569] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ee600, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35ee600, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x109d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ICE.ELM", cAlternateFileName="")) returned 1 [0041.569] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.569] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDUST", cAlternateFileName="")) returned 1 [0041.569] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.570] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.570] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4901300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x539538d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4901300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x184e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDUST.ELM", cAlternateFileName="")) returned 1 [0041.570] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.570] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.570] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IRIS", cAlternateFileName="")) returned 1 [0041.570] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.571] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.571] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f26d00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f26d00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x1015d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IRIS.ELM", cAlternateFileName="")) returned 1 [0041.571] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.571] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.571] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0041.571] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.572] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.572] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239a00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8239a00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xba32, dwReserved0=0x0, dwReserved1=0x0, cFileName="JOURNAL.ELM", cAlternateFileName="")) returned 1 [0041.572] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.572] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.572] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0041.572] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.573] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.573] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x954c700, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x567e4730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x954c700, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe743, dwReserved0=0x0, dwReserved1=0x0, cFileName="LAYERS.ELM", cAlternateFileName="")) returned 1 [0041.574] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f2d0a0 | out: hHeap=0x500000) returned 1 [0041.577] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0041.577] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.578] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.578] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85f400, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa85f400, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe2ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="LEVEL.ELM", cAlternateFileName="")) returned 1 [0041.578] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.578] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.578] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0041.578] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0041.579] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.579] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x107bd500, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x107bd500, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xc649, dwReserved0=0x0, dwReserved1=0x0, cFileName="NETWORK.ELM", cAlternateFileName="")) returned 1 [0041.579] FindClose (in: hFindFile=0x3814330 | out: hFindFile=0x3814330) returned 1 [0041.579] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.579] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0041.579] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.580] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.580] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x140f5c00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x140f5c00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x166d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS.ELM", cAlternateFileName="")) returned 1 [0041.580] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.581] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.581] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0041.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL") returned 61 [0041.581] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL") returned 1 [0041.581] lstrlenW (lpString="PIXEL") returned 5 [0041.581] lstrcmpiW (lpString1="C:\\Windows", lpString2="PIXEL") returned -1 [0041.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3760068 [0041.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL") returned 61 [0041.581] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.581] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.581] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a2e300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6cf07e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17a2e300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xd0e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIXEL.ELM", cAlternateFileName="")) returned 1 [0041.581] lstrlenW (lpString="PIXEL.ELM") returned 9 [0041.581] lstrlenW (lpString=".1cd") returned 4 [0041.581] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0041.581] lstrlenW (lpString=".3ds") returned 4 [0041.581] lstrcmpiW (lpString1=".3ds", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".3fr") returned 4 [0041.582] lstrcmpiW (lpString1=".3fr", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".3g2") returned 4 [0041.582] lstrcmpiW (lpString1=".3g2", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".3gp") returned 4 [0041.582] lstrcmpiW (lpString1=".3gp", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".7z") returned 3 [0041.582] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0041.582] lstrlenW (lpString=".accda") returned 6 [0041.582] lstrcmpiW (lpString1=".accda", lpString2="EL.ELM") returned -1 [0041.582] lstrlenW (lpString=".accdb") returned 6 [0041.582] lstrcmpiW (lpString1=".accdb", lpString2="EL.ELM") returned -1 [0041.582] lstrlenW (lpString=".accdc") returned 6 [0041.582] lstrcmpiW (lpString1=".accdc", lpString2="EL.ELM") returned -1 [0041.582] lstrlenW (lpString=".accde") returned 6 [0041.582] lstrcmpiW (lpString1=".accde", lpString2="EL.ELM") returned -1 [0041.582] lstrlenW (lpString=".accdt") returned 6 [0041.582] lstrcmpiW (lpString1=".accdt", lpString2="EL.ELM") returned -1 [0041.582] lstrlenW (lpString=".accdw") returned 6 [0041.582] lstrcmpiW (lpString1=".accdw", lpString2="EL.ELM") returned -1 [0041.582] lstrlenW (lpString=".adb") returned 4 [0041.582] lstrcmpiW (lpString1=".adb", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".adp") returned 4 [0041.582] lstrcmpiW (lpString1=".adp", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".ai") returned 3 [0041.582] lstrcmpiW (lpString1=".ai", lpString2="ELM") returned -1 [0041.582] lstrlenW (lpString=".ai3") returned 4 [0041.582] lstrcmpiW (lpString1=".ai3", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".ai4") returned 4 [0041.582] lstrcmpiW (lpString1=".ai4", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".ai5") returned 4 [0041.582] lstrcmpiW (lpString1=".ai5", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".ai6") returned 4 [0041.582] lstrcmpiW (lpString1=".ai6", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".ai7") returned 4 [0041.582] lstrcmpiW (lpString1=".ai7", lpString2=".ELM") returned -1 [0041.582] lstrlenW (lpString=".ai8") returned 4 [0041.582] lstrcmpiW (lpString1=".ai8", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".anim") returned 5 [0041.583] lstrcmpiW (lpString1=".anim", lpString2="L.ELM") returned -1 [0041.583] lstrlenW (lpString=".arw") returned 4 [0041.583] lstrcmpiW (lpString1=".arw", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".as") returned 3 [0041.583] lstrcmpiW (lpString1=".as", lpString2="ELM") returned -1 [0041.583] lstrlenW (lpString=".asa") returned 4 [0041.583] lstrcmpiW (lpString1=".asa", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".asc") returned 4 [0041.583] lstrcmpiW (lpString1=".asc", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".ascx") returned 5 [0041.583] lstrcmpiW (lpString1=".ascx", lpString2="L.ELM") returned -1 [0041.583] lstrlenW (lpString=".asm") returned 4 [0041.583] lstrcmpiW (lpString1=".asm", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".asmx") returned 5 [0041.583] lstrcmpiW (lpString1=".asmx", lpString2="L.ELM") returned -1 [0041.583] lstrlenW (lpString=".asp") returned 4 [0041.583] lstrcmpiW (lpString1=".asp", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".aspx") returned 5 [0041.583] lstrcmpiW (lpString1=".aspx", lpString2="L.ELM") returned -1 [0041.583] lstrlenW (lpString=".asr") returned 4 [0041.583] lstrcmpiW (lpString1=".asr", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".asx") returned 4 [0041.583] lstrcmpiW (lpString1=".asx", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".avi") returned 4 [0041.583] lstrcmpiW (lpString1=".avi", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".avs") returned 4 [0041.583] lstrcmpiW (lpString1=".avs", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".backup") returned 7 [0041.583] lstrcmpiW (lpString1=".backup", lpString2="XEL.ELM") returned -1 [0041.583] lstrlenW (lpString=".bak") returned 4 [0041.583] lstrcmpiW (lpString1=".bak", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".bay") returned 4 [0041.583] lstrcmpiW (lpString1=".bay", lpString2=".ELM") returned -1 [0041.583] lstrlenW (lpString=".bd") returned 3 [0041.583] lstrcmpiW (lpString1=".bd", lpString2="ELM") returned -1 [0041.583] lstrlenW (lpString=".bin") returned 4 [0041.584] lstrcmpiW (lpString1=".bin", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".bmp") returned 4 [0041.584] lstrcmpiW (lpString1=".bmp", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".bz2") returned 4 [0041.584] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".c") returned 2 [0041.584] lstrcmpiW (lpString1=".c", lpString2="LM") returned -1 [0041.584] lstrlenW (lpString=".cdr") returned 4 [0041.584] lstrcmpiW (lpString1=".cdr", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".cer") returned 4 [0041.584] lstrcmpiW (lpString1=".cer", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".cf") returned 3 [0041.584] lstrcmpiW (lpString1=".cf", lpString2="ELM") returned -1 [0041.584] lstrlenW (lpString=".cfc") returned 4 [0041.584] lstrcmpiW (lpString1=".cfc", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".cfm") returned 4 [0041.584] lstrcmpiW (lpString1=".cfm", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".cfml") returned 5 [0041.584] lstrcmpiW (lpString1=".cfml", lpString2="L.ELM") returned -1 [0041.584] lstrlenW (lpString=".cfu") returned 4 [0041.584] lstrcmpiW (lpString1=".cfu", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".chm") returned 4 [0041.584] lstrcmpiW (lpString1=".chm", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".cin") returned 4 [0041.584] lstrcmpiW (lpString1=".cin", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".class") returned 6 [0041.584] lstrcmpiW (lpString1=".class", lpString2="EL.ELM") returned -1 [0041.584] lstrlenW (lpString=".clx") returned 4 [0041.584] lstrcmpiW (lpString1=".clx", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".config") returned 7 [0041.584] lstrcmpiW (lpString1=".config", lpString2="XEL.ELM") returned -1 [0041.584] lstrlenW (lpString=".cpp") returned 4 [0041.584] lstrcmpiW (lpString1=".cpp", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".cr2") returned 4 [0041.584] lstrcmpiW (lpString1=".cr2", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".crt") returned 4 [0041.584] lstrcmpiW (lpString1=".crt", lpString2=".ELM") returned -1 [0041.584] lstrlenW (lpString=".crw") returned 4 [0041.585] lstrcmpiW (lpString1=".crw", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".cs") returned 3 [0041.585] lstrcmpiW (lpString1=".cs", lpString2="ELM") returned -1 [0041.585] lstrlenW (lpString=".css") returned 4 [0041.585] lstrcmpiW (lpString1=".css", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".csv") returned 4 [0041.585] lstrcmpiW (lpString1=".csv", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".cub") returned 4 [0041.585] lstrcmpiW (lpString1=".cub", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dae") returned 4 [0041.585] lstrcmpiW (lpString1=".dae", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dat") returned 4 [0041.585] lstrcmpiW (lpString1=".dat", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".db") returned 3 [0041.585] lstrcmpiW (lpString1=".db", lpString2="ELM") returned -1 [0041.585] lstrlenW (lpString=".dbf") returned 4 [0041.585] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dbx") returned 4 [0041.585] lstrcmpiW (lpString1=".dbx", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dc3") returned 4 [0041.585] lstrcmpiW (lpString1=".dc3", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dcm") returned 4 [0041.585] lstrcmpiW (lpString1=".dcm", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dcr") returned 4 [0041.585] lstrcmpiW (lpString1=".dcr", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".der") returned 4 [0041.585] lstrcmpiW (lpString1=".der", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dib") returned 4 [0041.585] lstrcmpiW (lpString1=".dib", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dic") returned 4 [0041.585] lstrcmpiW (lpString1=".dic", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".dif") returned 4 [0041.585] lstrcmpiW (lpString1=".dif", lpString2=".ELM") returned -1 [0041.585] lstrlenW (lpString=".divx") returned 5 [0041.585] lstrcmpiW (lpString1=".divx", lpString2="L.ELM") returned -1 [0041.585] lstrlenW (lpString=".djvu") returned 5 [0041.585] lstrcmpiW (lpString1=".djvu", lpString2="L.ELM") returned -1 [0041.586] lstrlenW (lpString=".dng") returned 4 [0041.586] lstrcmpiW (lpString1=".dng", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".doc") returned 4 [0041.586] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".docm") returned 5 [0041.586] lstrcmpiW (lpString1=".docm", lpString2="L.ELM") returned -1 [0041.586] lstrlenW (lpString=".docx") returned 5 [0041.586] lstrcmpiW (lpString1=".docx", lpString2="L.ELM") returned -1 [0041.586] lstrlenW (lpString=".dot") returned 4 [0041.586] lstrcmpiW (lpString1=".dot", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".dotm") returned 5 [0041.586] lstrcmpiW (lpString1=".dotm", lpString2="L.ELM") returned -1 [0041.586] lstrlenW (lpString=".dotx") returned 5 [0041.586] lstrcmpiW (lpString1=".dotx", lpString2="L.ELM") returned -1 [0041.586] lstrlenW (lpString=".dpx") returned 4 [0041.586] lstrcmpiW (lpString1=".dpx", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".dqy") returned 4 [0041.586] lstrcmpiW (lpString1=".dqy", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".dsn") returned 4 [0041.586] lstrcmpiW (lpString1=".dsn", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".dt") returned 3 [0041.586] lstrcmpiW (lpString1=".dt", lpString2="ELM") returned -1 [0041.586] lstrlenW (lpString=".dtd") returned 4 [0041.586] lstrcmpiW (lpString1=".dtd", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".dwg") returned 4 [0041.586] lstrcmpiW (lpString1=".dwg", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".dwt") returned 4 [0041.586] lstrcmpiW (lpString1=".dwt", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".dx") returned 3 [0041.586] lstrcmpiW (lpString1=".dx", lpString2="ELM") returned -1 [0041.586] lstrlenW (lpString=".dxf") returned 4 [0041.586] lstrcmpiW (lpString1=".dxf", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".edml") returned 5 [0041.586] lstrcmpiW (lpString1=".edml", lpString2="L.ELM") returned -1 [0041.586] lstrlenW (lpString=".efd") returned 4 [0041.586] lstrcmpiW (lpString1=".efd", lpString2=".ELM") returned -1 [0041.586] lstrlenW (lpString=".elf") returned 4 [0041.587] lstrcmpiW (lpString1=".elf", lpString2=".ELM") returned -1 [0041.587] lstrlenW (lpString=".emf") returned 4 [0041.587] lstrcmpiW (lpString1=".emf", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".emz") returned 4 [0041.587] lstrcmpiW (lpString1=".emz", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".epf") returned 4 [0041.587] lstrcmpiW (lpString1=".epf", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".eps") returned 4 [0041.587] lstrcmpiW (lpString1=".eps", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".epsf") returned 5 [0041.587] lstrcmpiW (lpString1=".epsf", lpString2="L.ELM") returned -1 [0041.587] lstrlenW (lpString=".epsp") returned 5 [0041.587] lstrcmpiW (lpString1=".epsp", lpString2="L.ELM") returned -1 [0041.587] lstrlenW (lpString=".erf") returned 4 [0041.587] lstrcmpiW (lpString1=".erf", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".exr") returned 4 [0041.587] lstrcmpiW (lpString1=".exr", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".f4v") returned 4 [0041.587] lstrcmpiW (lpString1=".f4v", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".fido") returned 5 [0041.587] lstrcmpiW (lpString1=".fido", lpString2="L.ELM") returned -1 [0041.587] lstrlenW (lpString=".flm") returned 4 [0041.587] lstrcmpiW (lpString1=".flm", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".flv") returned 4 [0041.587] lstrcmpiW (lpString1=".flv", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".frm") returned 4 [0041.587] lstrcmpiW (lpString1=".frm", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".fxg") returned 4 [0041.587] lstrcmpiW (lpString1=".fxg", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".geo") returned 4 [0041.587] lstrcmpiW (lpString1=".geo", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".gif") returned 4 [0041.587] lstrcmpiW (lpString1=".gif", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".grs") returned 4 [0041.587] lstrcmpiW (lpString1=".grs", lpString2=".ELM") returned 1 [0041.587] lstrlenW (lpString=".gz") returned 3 [0041.587] lstrcmpiW (lpString1=".gz", lpString2="ELM") returned -1 [0041.587] lstrlenW (lpString=".h") returned 2 [0041.588] lstrcmpiW (lpString1=".h", lpString2="LM") returned -1 [0041.588] lstrlenW (lpString=".hdr") returned 4 [0041.588] lstrcmpiW (lpString1=".hdr", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".hpp") returned 4 [0041.588] lstrcmpiW (lpString1=".hpp", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".hta") returned 4 [0041.588] lstrcmpiW (lpString1=".hta", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".htc") returned 4 [0041.588] lstrcmpiW (lpString1=".htc", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".htm") returned 4 [0041.588] lstrcmpiW (lpString1=".htm", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".html") returned 5 [0041.588] lstrcmpiW (lpString1=".html", lpString2="L.ELM") returned -1 [0041.588] lstrlenW (lpString=".icb") returned 4 [0041.588] lstrcmpiW (lpString1=".icb", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".ics") returned 4 [0041.588] lstrcmpiW (lpString1=".ics", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".iff") returned 4 [0041.588] lstrcmpiW (lpString1=".iff", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".inc") returned 4 [0041.588] lstrcmpiW (lpString1=".inc", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".indd") returned 5 [0041.588] lstrcmpiW (lpString1=".indd", lpString2="L.ELM") returned -1 [0041.588] lstrlenW (lpString=".ini") returned 4 [0041.588] lstrcmpiW (lpString1=".ini", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".iqy") returned 4 [0041.588] lstrcmpiW (lpString1=".iqy", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".j2c") returned 4 [0041.588] lstrcmpiW (lpString1=".j2c", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".j2k") returned 4 [0041.588] lstrcmpiW (lpString1=".j2k", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".java") returned 5 [0041.588] lstrcmpiW (lpString1=".java", lpString2="L.ELM") returned -1 [0041.588] lstrlenW (lpString=".jp2") returned 4 [0041.588] lstrcmpiW (lpString1=".jp2", lpString2=".ELM") returned 1 [0041.588] lstrlenW (lpString=".jpc") returned 4 [0041.588] lstrcmpiW (lpString1=".jpc", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".jpe") returned 4 [0041.589] lstrcmpiW (lpString1=".jpe", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".jpeg") returned 5 [0041.589] lstrcmpiW (lpString1=".jpeg", lpString2="L.ELM") returned -1 [0041.589] lstrlenW (lpString=".jpf") returned 4 [0041.589] lstrcmpiW (lpString1=".jpf", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".jpg") returned 4 [0041.589] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".jpx") returned 4 [0041.589] lstrcmpiW (lpString1=".jpx", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".js") returned 3 [0041.589] lstrcmpiW (lpString1=".js", lpString2="ELM") returned -1 [0041.589] lstrlenW (lpString=".jsf") returned 4 [0041.589] lstrcmpiW (lpString1=".jsf", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".json") returned 5 [0041.589] lstrcmpiW (lpString1=".json", lpString2="L.ELM") returned -1 [0041.589] lstrlenW (lpString=".jsp") returned 4 [0041.589] lstrcmpiW (lpString1=".jsp", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".kdc") returned 4 [0041.589] lstrcmpiW (lpString1=".kdc", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".kmz") returned 4 [0041.589] lstrcmpiW (lpString1=".kmz", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".kwm") returned 4 [0041.589] lstrcmpiW (lpString1=".kwm", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".lasso") returned 6 [0041.589] lstrcmpiW (lpString1=".lasso", lpString2="EL.ELM") returned -1 [0041.589] lstrlenW (lpString=".lbi") returned 4 [0041.589] lstrcmpiW (lpString1=".lbi", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".lgf") returned 4 [0041.589] lstrcmpiW (lpString1=".lgf", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".lgp") returned 4 [0041.589] lstrcmpiW (lpString1=".lgp", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".log") returned 4 [0041.589] lstrcmpiW (lpString1=".log", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".m1v") returned 4 [0041.589] lstrcmpiW (lpString1=".m1v", lpString2=".ELM") returned 1 [0041.589] lstrlenW (lpString=".m4a") returned 4 [0041.590] lstrcmpiW (lpString1=".m4a", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".m4v") returned 4 [0041.590] lstrcmpiW (lpString1=".m4v", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".max") returned 4 [0041.590] lstrcmpiW (lpString1=".max", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".md") returned 3 [0041.590] lstrcmpiW (lpString1=".md", lpString2="ELM") returned -1 [0041.590] lstrlenW (lpString=".mda") returned 4 [0041.590] lstrcmpiW (lpString1=".mda", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mdb") returned 4 [0041.590] lstrcmpiW (lpString1=".mdb", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mde") returned 4 [0041.590] lstrcmpiW (lpString1=".mde", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mdf") returned 4 [0041.590] lstrcmpiW (lpString1=".mdf", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mdw") returned 4 [0041.590] lstrcmpiW (lpString1=".mdw", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mef") returned 4 [0041.590] lstrcmpiW (lpString1=".mef", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mft") returned 4 [0041.590] lstrcmpiW (lpString1=".mft", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mfw") returned 4 [0041.590] lstrcmpiW (lpString1=".mfw", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mht") returned 4 [0041.590] lstrcmpiW (lpString1=".mht", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mhtml") returned 6 [0041.590] lstrcmpiW (lpString1=".mhtml", lpString2="EL.ELM") returned -1 [0041.590] lstrlenW (lpString=".mka") returned 4 [0041.590] lstrcmpiW (lpString1=".mka", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mkidx") returned 6 [0041.590] lstrcmpiW (lpString1=".mkidx", lpString2="EL.ELM") returned -1 [0041.590] lstrlenW (lpString=".mkv") returned 4 [0041.590] lstrcmpiW (lpString1=".mkv", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mos") returned 4 [0041.590] lstrcmpiW (lpString1=".mos", lpString2=".ELM") returned 1 [0041.590] lstrlenW (lpString=".mov") returned 4 [0041.590] lstrcmpiW (lpString1=".mov", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".mp3") returned 4 [0041.591] lstrcmpiW (lpString1=".mp3", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".mp4") returned 4 [0041.591] lstrcmpiW (lpString1=".mp4", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".mpeg") returned 5 [0041.591] lstrcmpiW (lpString1=".mpeg", lpString2="L.ELM") returned -1 [0041.591] lstrlenW (lpString=".mpg") returned 4 [0041.591] lstrcmpiW (lpString1=".mpg", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".mpv") returned 4 [0041.591] lstrcmpiW (lpString1=".mpv", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".mrw") returned 4 [0041.591] lstrcmpiW (lpString1=".mrw", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".msg") returned 4 [0041.591] lstrcmpiW (lpString1=".msg", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".mxl") returned 4 [0041.591] lstrcmpiW (lpString1=".mxl", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".myd") returned 4 [0041.591] lstrcmpiW (lpString1=".myd", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".myi") returned 4 [0041.591] lstrcmpiW (lpString1=".myi", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".nef") returned 4 [0041.591] lstrcmpiW (lpString1=".nef", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".nrw") returned 4 [0041.591] lstrcmpiW (lpString1=".nrw", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".obj") returned 4 [0041.591] lstrcmpiW (lpString1=".obj", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".odb") returned 4 [0041.591] lstrcmpiW (lpString1=".odb", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".odc") returned 4 [0041.591] lstrcmpiW (lpString1=".odc", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".odm") returned 4 [0041.591] lstrcmpiW (lpString1=".odm", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".odp") returned 4 [0041.591] lstrcmpiW (lpString1=".odp", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".ods") returned 4 [0041.591] lstrcmpiW (lpString1=".ods", lpString2=".ELM") returned 1 [0041.591] lstrlenW (lpString=".oft") returned 4 [0041.591] lstrcmpiW (lpString1=".oft", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".one") returned 4 [0041.592] lstrcmpiW (lpString1=".one", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".onepkg") returned 7 [0041.592] lstrcmpiW (lpString1=".onepkg", lpString2="XEL.ELM") returned -1 [0041.592] lstrlenW (lpString=".onetoc2") returned 8 [0041.592] lstrcmpiW (lpString1=".onetoc2", lpString2="IXEL.ELM") returned -1 [0041.592] lstrlenW (lpString=".opt") returned 4 [0041.592] lstrcmpiW (lpString1=".opt", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".oqy") returned 4 [0041.592] lstrcmpiW (lpString1=".oqy", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".orf") returned 4 [0041.592] lstrcmpiW (lpString1=".orf", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".p12") returned 4 [0041.592] lstrcmpiW (lpString1=".p12", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".p7b") returned 4 [0041.592] lstrcmpiW (lpString1=".p7b", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".p7c") returned 4 [0041.592] lstrcmpiW (lpString1=".p7c", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pam") returned 4 [0041.592] lstrcmpiW (lpString1=".pam", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pbm") returned 4 [0041.592] lstrcmpiW (lpString1=".pbm", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pct") returned 4 [0041.592] lstrcmpiW (lpString1=".pct", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pcx") returned 4 [0041.592] lstrcmpiW (lpString1=".pcx", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pdd") returned 4 [0041.592] lstrcmpiW (lpString1=".pdd", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pdf") returned 4 [0041.592] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pdp") returned 4 [0041.592] lstrcmpiW (lpString1=".pdp", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pef") returned 4 [0041.592] lstrcmpiW (lpString1=".pef", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pem") returned 4 [0041.592] lstrcmpiW (lpString1=".pem", lpString2=".ELM") returned 1 [0041.592] lstrlenW (lpString=".pff") returned 4 [0041.593] lstrcmpiW (lpString1=".pff", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".pfm") returned 4 [0041.593] lstrcmpiW (lpString1=".pfm", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".pfx") returned 4 [0041.593] lstrcmpiW (lpString1=".pfx", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".pgm") returned 4 [0041.593] lstrcmpiW (lpString1=".pgm", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".php") returned 4 [0041.593] lstrcmpiW (lpString1=".php", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".php3") returned 5 [0041.593] lstrcmpiW (lpString1=".php3", lpString2="L.ELM") returned -1 [0041.593] lstrlenW (lpString=".php4") returned 5 [0041.593] lstrcmpiW (lpString1=".php4", lpString2="L.ELM") returned -1 [0041.593] lstrlenW (lpString=".php5") returned 5 [0041.593] lstrcmpiW (lpString1=".php5", lpString2="L.ELM") returned -1 [0041.593] lstrlenW (lpString=".phtml") returned 6 [0041.593] lstrcmpiW (lpString1=".phtml", lpString2="EL.ELM") returned -1 [0041.593] lstrlenW (lpString=".pict") returned 5 [0041.593] lstrcmpiW (lpString1=".pict", lpString2="L.ELM") returned -1 [0041.593] lstrlenW (lpString=".pl") returned 3 [0041.593] lstrcmpiW (lpString1=".pl", lpString2="ELM") returned -1 [0041.593] lstrlenW (lpString=".pls") returned 4 [0041.593] lstrcmpiW (lpString1=".pls", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".pm") returned 3 [0041.593] lstrcmpiW (lpString1=".pm", lpString2="ELM") returned -1 [0041.593] lstrlenW (lpString=".png") returned 4 [0041.593] lstrcmpiW (lpString1=".png", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".pnm") returned 4 [0041.593] lstrcmpiW (lpString1=".pnm", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".pot") returned 4 [0041.593] lstrcmpiW (lpString1=".pot", lpString2=".ELM") returned 1 [0041.593] lstrlenW (lpString=".potm") returned 5 [0041.593] lstrcmpiW (lpString1=".potm", lpString2="L.ELM") returned -1 [0041.593] lstrlenW (lpString=".potx") returned 5 [0041.593] lstrcmpiW (lpString1=".potx", lpString2="L.ELM") returned -1 [0041.593] lstrlenW (lpString=".ppa") returned 4 [0041.593] lstrcmpiW (lpString1=".ppa", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".ppam") returned 5 [0041.594] lstrcmpiW (lpString1=".ppam", lpString2="L.ELM") returned -1 [0041.594] lstrlenW (lpString=".ppm") returned 4 [0041.594] lstrcmpiW (lpString1=".ppm", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".pps") returned 4 [0041.594] lstrcmpiW (lpString1=".pps", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".ppsm") returned 5 [0041.594] lstrcmpiW (lpString1=".ppsm", lpString2="L.ELM") returned -1 [0041.594] lstrlenW (lpString=".ppt") returned 4 [0041.594] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".pptm") returned 5 [0041.594] lstrcmpiW (lpString1=".pptm", lpString2="L.ELM") returned -1 [0041.594] lstrlenW (lpString=".pptx") returned 5 [0041.594] lstrcmpiW (lpString1=".pptx", lpString2="L.ELM") returned -1 [0041.594] lstrlenW (lpString=".prn") returned 4 [0041.594] lstrcmpiW (lpString1=".prn", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".ps") returned 3 [0041.594] lstrcmpiW (lpString1=".ps", lpString2="ELM") returned -1 [0041.594] lstrlenW (lpString=".psb") returned 4 [0041.594] lstrcmpiW (lpString1=".psb", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".psd") returned 4 [0041.594] lstrcmpiW (lpString1=".psd", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".pst") returned 4 [0041.594] lstrcmpiW (lpString1=".pst", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".ptx") returned 4 [0041.594] lstrcmpiW (lpString1=".ptx", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".pub") returned 4 [0041.594] lstrcmpiW (lpString1=".pub", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".pwm") returned 4 [0041.594] lstrcmpiW (lpString1=".pwm", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".pxr") returned 4 [0041.594] lstrcmpiW (lpString1=".pxr", lpString2=".ELM") returned 1 [0041.594] lstrlenW (lpString=".py") returned 3 [0041.594] lstrcmpiW (lpString1=".py", lpString2="ELM") returned -1 [0041.594] lstrlenW (lpString=".qt") returned 3 [0041.594] lstrcmpiW (lpString1=".qt", lpString2="ELM") returned -1 [0041.594] lstrlenW (lpString=".r3d") returned 4 [0041.594] lstrcmpiW (lpString1=".r3d", lpString2=".ELM") returned 1 [0041.595] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.595] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.595] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0041.595] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.596] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.597] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x53b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.597] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.597] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.597] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QUAD", cAlternateFileName="")) returned 1 [0041.597] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.598] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.598] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x59f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.599] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.599] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.599] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0041.599] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.600] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.600] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x682, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.600] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.601] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.601] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="REFINED", cAlternateFileName="")) returned 1 [0041.601] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.601] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.601] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x58f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.601] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.602] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.602] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0041.602] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.936] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.936] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xf82, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.937] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.937] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.937] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RIPPLE", cAlternateFileName="")) returned 1 [0041.937] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814370 [0041.937] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.937] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0041.937] FindClose (in: hFindFile=0x3814370 | out: hFindFile=0x3814370) returned 1 [0041.937] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3760068 | out: hHeap=0x500000) returned 1 [0041.937] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RMNSQUE", cAlternateFileName="")) returned 1 [0041.938] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*", lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3814330 [0043.154] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.154] FindNextFileW (in: hFindFile=0x3814330, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0055.205] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa5ff110, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ff, dwReserved1=0x20000, cFileName="..", cAlternateFileName="")) returned 1 [0055.205] FindNextFileW (in: hFindFile=0x3814270, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49110e00, ftCreationTime.dwHighDateTime=0x1bf97c1, ftLastAccessTime.dwLowDateTime=0xfa5ff110, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x49110e00, ftLastWriteTime.dwHighDateTime=0x1bf97c1, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x7ff, dwReserved1=0x20000, cFileName="MSN MoneyCentral Investor Currency Rates.iqy", cAlternateFileName="MSNMON~1.IQY")) returned 1 [0060.240] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0060.240] lstrlenW (lpString=".3ds") returned 4 [0060.240] lstrcmpiW (lpString1=".3ds", lpString2=".htm") returned -1 [0060.240] lstrlenW (lpString=".3fr") returned 4 [0060.240] lstrcmpiW (lpString1=".3fr", lpString2=".htm") returned -1 [0060.240] lstrlenW (lpString=".3g2") returned 4 [0060.240] lstrcmpiW (lpString1=".3g2", lpString2=".htm") returned -1 [0060.240] lstrlenW (lpString=".3gp") returned 4 [0060.240] lstrcmpiW (lpString1=".3gp", lpString2=".htm") returned -1 [0060.240] lstrlenW (lpString=".7z") returned 3 [0060.240] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0060.240] lstrlenW (lpString=".accda") returned 6 [0060.241] lstrcmpiW (lpString1=".accda", lpString2="ku.htm") returned -1 [0060.241] lstrlenW (lpString=".accdb") returned 6 [0060.241] lstrcmpiW (lpString1=".accdb", lpString2="ku.htm") returned -1 [0060.241] lstrlenW (lpString=".accdc") returned 6 [0060.241] lstrcmpiW (lpString1=".accdc", lpString2="ku.htm") returned -1 [0060.241] lstrlenW (lpString=".accde") returned 6 [0060.241] lstrcmpiW (lpString1=".accde", lpString2="ku.htm") returned -1 [0060.241] lstrlenW (lpString=".accdt") returned 6 [0060.241] lstrcmpiW (lpString1=".accdt", lpString2="ku.htm") returned -1 [0060.241] lstrlenW (lpString=".accdw") returned 6 [0060.241] lstrcmpiW (lpString1=".accdw", lpString2="ku.htm") returned -1 [0060.241] lstrlenW (lpString=".adb") returned 4 [0060.241] lstrcmpiW (lpString1=".adb", lpString2=".htm") returned -1 [0060.241] lstrlenW (lpString=".adp") returned 4 [0060.241] lstrcmpiW (lpString1=".adp", lpString2=".htm") returned -1 [0060.241] lstrlenW (lpString=".ai") returned 3 [0060.241] lstrcmpiW (lpString1=".ai", lpString2="htm") returned -1 [0060.241] lstrlenW (lpString=".ai3") returned 4 [0060.241] lstrcmpiW (lpString1=".ai3", lpString2=".htm") returned -1 [0060.241] lstrlenW (lpString=".ai4") returned 4 [0060.241] lstrcmpiW (lpString1=".ai4", lpString2=".htm") returned -1 [0060.241] lstrlenW (lpString=".ai5") returned 4 [0060.241] lstrcmpiW (lpString1=".ai5", lpString2=".htm") returned -1 [0060.241] lstrlenW (lpString=".ai6") returned 4 [0060.241] lstrcmpiW (lpString1=".ai6", lpString2=".htm") returned -1 [0060.241] lstrlenW (lpString=".ai7") returned 4 [0060.241] lstrcmpiW (lpString1=".ai7", lpString2=".htm") returned -1 [0060.241] lstrlenW (lpString=".ai8") returned 4 [0060.241] lstrcmpiW (lpString1=".ai8", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".anim") returned 5 [0060.242] lstrcmpiW (lpString1=".anim", lpString2="u.htm") returned -1 [0060.242] lstrlenW (lpString=".arw") returned 4 [0060.242] lstrcmpiW (lpString1=".arw", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".as") returned 3 [0060.242] lstrcmpiW (lpString1=".as", lpString2="htm") returned -1 [0060.242] lstrlenW (lpString=".asa") returned 4 [0060.242] lstrcmpiW (lpString1=".asa", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".asc") returned 4 [0060.242] lstrcmpiW (lpString1=".asc", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".ascx") returned 5 [0060.242] lstrcmpiW (lpString1=".ascx", lpString2="u.htm") returned -1 [0060.242] lstrlenW (lpString=".asm") returned 4 [0060.242] lstrcmpiW (lpString1=".asm", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".asmx") returned 5 [0060.242] lstrcmpiW (lpString1=".asmx", lpString2="u.htm") returned -1 [0060.242] lstrlenW (lpString=".asp") returned 4 [0060.242] lstrcmpiW (lpString1=".asp", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".aspx") returned 5 [0060.242] lstrcmpiW (lpString1=".aspx", lpString2="u.htm") returned -1 [0060.242] lstrlenW (lpString=".asr") returned 4 [0060.242] lstrcmpiW (lpString1=".asr", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".asx") returned 4 [0060.242] lstrcmpiW (lpString1=".asx", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".avi") returned 4 [0060.242] lstrcmpiW (lpString1=".avi", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".avs") returned 4 [0060.242] lstrcmpiW (lpString1=".avs", lpString2=".htm") returned -1 [0060.242] lstrlenW (lpString=".backup") returned 7 [0060.242] lstrcmpiW (lpString1=".backup", lpString2="oku.htm") returned -1 [0060.243] lstrlenW (lpString=".bak") returned 4 [0060.243] lstrcmpiW (lpString1=".bak", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".bay") returned 4 [0060.243] lstrcmpiW (lpString1=".bay", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".bd") returned 3 [0060.243] lstrcmpiW (lpString1=".bd", lpString2="htm") returned -1 [0060.243] lstrlenW (lpString=".bin") returned 4 [0060.243] lstrcmpiW (lpString1=".bin", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".bmp") returned 4 [0060.243] lstrcmpiW (lpString1=".bmp", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".bz2") returned 4 [0060.243] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".c") returned 2 [0060.243] lstrcmpiW (lpString1=".c", lpString2="tm") returned -1 [0060.243] lstrlenW (lpString=".cdr") returned 4 [0060.243] lstrcmpiW (lpString1=".cdr", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".cer") returned 4 [0060.243] lstrcmpiW (lpString1=".cer", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".cf") returned 3 [0060.243] lstrcmpiW (lpString1=".cf", lpString2="htm") returned -1 [0060.243] lstrlenW (lpString=".cfc") returned 4 [0060.243] lstrcmpiW (lpString1=".cfc", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".cfm") returned 4 [0060.243] lstrcmpiW (lpString1=".cfm", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".cfml") returned 5 [0060.243] lstrcmpiW (lpString1=".cfml", lpString2="u.htm") returned -1 [0060.243] lstrlenW (lpString=".cfu") returned 4 [0060.243] lstrcmpiW (lpString1=".cfu", lpString2=".htm") returned -1 [0060.243] lstrlenW (lpString=".chm") returned 4 [0060.243] lstrcmpiW (lpString1=".chm", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".cin") returned 4 [0060.244] lstrcmpiW (lpString1=".cin", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".class") returned 6 [0060.244] lstrcmpiW (lpString1=".class", lpString2="ku.htm") returned -1 [0060.244] lstrlenW (lpString=".clx") returned 4 [0060.244] lstrcmpiW (lpString1=".clx", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".config") returned 7 [0060.244] lstrcmpiW (lpString1=".config", lpString2="oku.htm") returned -1 [0060.244] lstrlenW (lpString=".cpp") returned 4 [0060.244] lstrcmpiW (lpString1=".cpp", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".cr2") returned 4 [0060.244] lstrcmpiW (lpString1=".cr2", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".crt") returned 4 [0060.244] lstrcmpiW (lpString1=".crt", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".crw") returned 4 [0060.244] lstrcmpiW (lpString1=".crw", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".cs") returned 3 [0060.244] lstrcmpiW (lpString1=".cs", lpString2="htm") returned -1 [0060.244] lstrlenW (lpString=".css") returned 4 [0060.244] lstrcmpiW (lpString1=".css", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".csv") returned 4 [0060.244] lstrcmpiW (lpString1=".csv", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".cub") returned 4 [0060.244] lstrcmpiW (lpString1=".cub", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".dae") returned 4 [0060.244] lstrcmpiW (lpString1=".dae", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".dat") returned 4 [0060.244] lstrcmpiW (lpString1=".dat", lpString2=".htm") returned -1 [0060.244] lstrlenW (lpString=".db") returned 3 [0060.245] lstrcmpiW (lpString1=".db", lpString2="htm") returned -1 [0060.245] lstrlenW (lpString=".dbf") returned 4 [0060.245] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".dbx") returned 4 [0060.245] lstrcmpiW (lpString1=".dbx", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".dc3") returned 4 [0060.245] lstrcmpiW (lpString1=".dc3", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".dcm") returned 4 [0060.245] lstrcmpiW (lpString1=".dcm", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".dcr") returned 4 [0060.245] lstrcmpiW (lpString1=".dcr", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".der") returned 4 [0060.245] lstrcmpiW (lpString1=".der", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".dib") returned 4 [0060.245] lstrcmpiW (lpString1=".dib", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".dic") returned 4 [0060.245] lstrcmpiW (lpString1=".dic", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".dif") returned 4 [0060.245] lstrcmpiW (lpString1=".dif", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".divx") returned 5 [0060.245] lstrcmpiW (lpString1=".divx", lpString2="u.htm") returned -1 [0060.245] lstrlenW (lpString=".djvu") returned 5 [0060.245] lstrcmpiW (lpString1=".djvu", lpString2="u.htm") returned -1 [0060.245] lstrlenW (lpString=".dng") returned 4 [0060.245] lstrcmpiW (lpString1=".dng", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".doc") returned 4 [0060.245] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0060.245] lstrlenW (lpString=".docm") returned 5 [0060.245] lstrcmpiW (lpString1=".docm", lpString2="u.htm") returned -1 [0060.245] lstrlenW (lpString=".docx") returned 5 [0060.246] lstrcmpiW (lpString1=".docx", lpString2="u.htm") returned -1 [0060.246] lstrlenW (lpString=".dot") returned 4 [0060.246] lstrcmpiW (lpString1=".dot", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".dotm") returned 5 [0060.246] lstrcmpiW (lpString1=".dotm", lpString2="u.htm") returned -1 [0060.246] lstrlenW (lpString=".dotx") returned 5 [0060.246] lstrcmpiW (lpString1=".dotx", lpString2="u.htm") returned -1 [0060.246] lstrlenW (lpString=".dpx") returned 4 [0060.246] lstrcmpiW (lpString1=".dpx", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".dqy") returned 4 [0060.246] lstrcmpiW (lpString1=".dqy", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".dsn") returned 4 [0060.246] lstrcmpiW (lpString1=".dsn", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".dt") returned 3 [0060.246] lstrcmpiW (lpString1=".dt", lpString2="htm") returned -1 [0060.246] lstrlenW (lpString=".dtd") returned 4 [0060.246] lstrcmpiW (lpString1=".dtd", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".dwg") returned 4 [0060.246] lstrcmpiW (lpString1=".dwg", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".dwt") returned 4 [0060.246] lstrcmpiW (lpString1=".dwt", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".dx") returned 3 [0060.246] lstrcmpiW (lpString1=".dx", lpString2="htm") returned -1 [0060.246] lstrlenW (lpString=".dxf") returned 4 [0060.246] lstrcmpiW (lpString1=".dxf", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".edml") returned 5 [0060.246] lstrcmpiW (lpString1=".edml", lpString2="u.htm") returned -1 [0060.246] lstrlenW (lpString=".efd") returned 4 [0060.246] lstrcmpiW (lpString1=".efd", lpString2=".htm") returned -1 [0060.246] lstrlenW (lpString=".elf") returned 4 [0060.247] lstrcmpiW (lpString1=".elf", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".emf") returned 4 [0060.247] lstrcmpiW (lpString1=".emf", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".emz") returned 4 [0060.247] lstrcmpiW (lpString1=".emz", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".epf") returned 4 [0060.247] lstrcmpiW (lpString1=".epf", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".eps") returned 4 [0060.247] lstrcmpiW (lpString1=".eps", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".epsf") returned 5 [0060.247] lstrcmpiW (lpString1=".epsf", lpString2="u.htm") returned -1 [0060.247] lstrlenW (lpString=".epsp") returned 5 [0060.247] lstrcmpiW (lpString1=".epsp", lpString2="u.htm") returned -1 [0060.247] lstrlenW (lpString=".erf") returned 4 [0060.247] lstrcmpiW (lpString1=".erf", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".exr") returned 4 [0060.247] lstrcmpiW (lpString1=".exr", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".f4v") returned 4 [0060.247] lstrcmpiW (lpString1=".f4v", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".fido") returned 5 [0060.247] lstrcmpiW (lpString1=".fido", lpString2="u.htm") returned -1 [0060.247] lstrlenW (lpString=".flm") returned 4 [0060.247] lstrcmpiW (lpString1=".flm", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".flv") returned 4 [0060.247] lstrcmpiW (lpString1=".flv", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".frm") returned 4 [0060.247] lstrcmpiW (lpString1=".frm", lpString2=".htm") returned -1 [0060.247] lstrlenW (lpString=".fxg") returned 4 [0060.247] lstrcmpiW (lpString1=".fxg", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".geo") returned 4 [0060.248] lstrcmpiW (lpString1=".geo", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".gif") returned 4 [0060.248] lstrcmpiW (lpString1=".gif", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".grs") returned 4 [0060.248] lstrcmpiW (lpString1=".grs", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".gz") returned 3 [0060.248] lstrcmpiW (lpString1=".gz", lpString2="htm") returned -1 [0060.248] lstrlenW (lpString=".h") returned 2 [0060.248] lstrcmpiW (lpString1=".h", lpString2="tm") returned -1 [0060.248] lstrlenW (lpString=".hdr") returned 4 [0060.248] lstrcmpiW (lpString1=".hdr", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".hpp") returned 4 [0060.248] lstrcmpiW (lpString1=".hpp", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".hta") returned 4 [0060.248] lstrcmpiW (lpString1=".hta", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".htc") returned 4 [0060.248] lstrcmpiW (lpString1=".htc", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".htm") returned 4 [0060.248] lstrcmpiW (lpString1=".htm", lpString2=".htm") returned 0 [0060.248] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f58c | out: lpFindFileData=0x3a6f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x42ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="Berime.htm", cAlternateFileName="")) returned 1 [0060.248] lstrlenW (lpString="Berime.htm") returned 10 [0060.248] lstrlenW (lpString=".1cd") returned 4 [0060.248] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".3ds") returned 4 [0060.248] lstrcmpiW (lpString1=".3ds", lpString2=".htm") returned -1 [0060.248] lstrlenW (lpString=".3fr") returned 4 [0060.249] lstrcmpiW (lpString1=".3fr", lpString2=".htm") returned -1 [0060.249] lstrlenW (lpString=".3g2") returned 4 [0060.249] lstrcmpiW (lpString1=".3g2", lpString2=".htm") returned -1 [0060.249] lstrlenW (lpString=".3gp") returned 4 [0060.249] lstrcmpiW (lpString1=".3gp", lpString2=".htm") returned -1 [0060.249] lstrlenW (lpString=".7z") returned 3 [0060.249] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0060.249] lstrlenW (lpString=".accda") returned 6 [0060.249] lstrcmpiW (lpString1=".accda", lpString2="me.htm") returned -1 [0060.249] lstrlenW (lpString=".accdb") returned 6 [0060.249] lstrcmpiW (lpString1=".accdb", lpString2="me.htm") returned -1 [0060.249] lstrlenW (lpString=".accdc") returned 6 [0060.249] lstrcmpiW (lpString1=".accdc", lpString2="me.htm") returned -1 [0060.249] lstrlenW (lpString=".accde") returned 6 [0060.249] lstrcmpiW (lpString1=".accde", lpString2="me.htm") returned -1 [0060.249] lstrlenW (lpString=".accdt") returned 6 [0060.249] lstrcmpiW (lpString1=".accdt", lpString2="me.htm") returned -1 [0060.249] lstrlenW (lpString=".accdw") returned 6 [0060.249] lstrcmpiW (lpString1=".accdw", lpString2="me.htm") returned -1 [0060.249] lstrlenW (lpString=".adb") returned 4 [0060.249] lstrcmpiW (lpString1=".adb", lpString2=".htm") returned -1 [0060.249] lstrlenW (lpString=".adp") returned 4 [0060.249] lstrcmpiW (lpString1=".adp", lpString2=".htm") returned -1 [0060.249] lstrlenW (lpString=".ai") returned 3 [0060.249] lstrcmpiW (lpString1=".ai", lpString2="htm") returned -1 [0060.249] lstrlenW (lpString=".ai3") returned 4 [0060.249] lstrcmpiW (lpString1=".ai3", lpString2=".htm") returned -1 [0060.249] lstrlenW (lpString=".ai4") returned 4 [0060.249] lstrcmpiW (lpString1=".ai4", lpString2=".htm") returned -1 [0060.249] lstrlenW (lpString=".ai5") returned 4 [0060.250] lstrcmpiW (lpString1=".ai5", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".ai6") returned 4 [0060.250] lstrcmpiW (lpString1=".ai6", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".ai7") returned 4 [0060.250] lstrcmpiW (lpString1=".ai7", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".ai8") returned 4 [0060.250] lstrcmpiW (lpString1=".ai8", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".anim") returned 5 [0060.250] lstrcmpiW (lpString1=".anim", lpString2="e.htm") returned -1 [0060.250] lstrlenW (lpString=".arw") returned 4 [0060.250] lstrcmpiW (lpString1=".arw", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".as") returned 3 [0060.250] lstrcmpiW (lpString1=".as", lpString2="htm") returned -1 [0060.250] lstrlenW (lpString=".asa") returned 4 [0060.250] lstrcmpiW (lpString1=".asa", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".asc") returned 4 [0060.250] lstrcmpiW (lpString1=".asc", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".ascx") returned 5 [0060.250] lstrcmpiW (lpString1=".ascx", lpString2="e.htm") returned -1 [0060.250] lstrlenW (lpString=".asm") returned 4 [0060.250] lstrcmpiW (lpString1=".asm", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".asmx") returned 5 [0060.250] lstrcmpiW (lpString1=".asmx", lpString2="e.htm") returned -1 [0060.250] lstrlenW (lpString=".asp") returned 4 [0060.250] lstrcmpiW (lpString1=".asp", lpString2=".htm") returned -1 [0060.250] lstrlenW (lpString=".aspx") returned 5 [0060.250] lstrcmpiW (lpString1=".aspx", lpString2="e.htm") returned -1 [0060.250] lstrlenW (lpString=".asr") returned 4 [0060.250] lstrcmpiW (lpString1=".asr", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".asx") returned 4 [0060.251] lstrcmpiW (lpString1=".asx", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".avi") returned 4 [0060.251] lstrcmpiW (lpString1=".avi", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".avs") returned 4 [0060.251] lstrcmpiW (lpString1=".avs", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".backup") returned 7 [0060.251] lstrcmpiW (lpString1=".backup", lpString2="ime.htm") returned -1 [0060.251] lstrlenW (lpString=".bak") returned 4 [0060.251] lstrcmpiW (lpString1=".bak", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".bay") returned 4 [0060.251] lstrcmpiW (lpString1=".bay", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".bd") returned 3 [0060.251] lstrcmpiW (lpString1=".bd", lpString2="htm") returned -1 [0060.251] lstrlenW (lpString=".bin") returned 4 [0060.251] lstrcmpiW (lpString1=".bin", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".bmp") returned 4 [0060.251] lstrcmpiW (lpString1=".bmp", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".bz2") returned 4 [0060.251] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".c") returned 2 [0060.251] lstrcmpiW (lpString1=".c", lpString2="tm") returned -1 [0060.251] lstrlenW (lpString=".cdr") returned 4 [0060.251] lstrcmpiW (lpString1=".cdr", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".cer") returned 4 [0060.251] lstrcmpiW (lpString1=".cer", lpString2=".htm") returned -1 [0060.251] lstrlenW (lpString=".cf") returned 3 [0060.251] lstrcmpiW (lpString1=".cf", lpString2="htm") returned -1 [0060.251] lstrlenW (lpString=".cfc") returned 4 [0060.252] lstrcmpiW (lpString1=".cfc", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".cfm") returned 4 [0060.252] lstrcmpiW (lpString1=".cfm", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".cfml") returned 5 [0060.252] lstrcmpiW (lpString1=".cfml", lpString2="e.htm") returned -1 [0060.252] lstrlenW (lpString=".cfu") returned 4 [0060.252] lstrcmpiW (lpString1=".cfu", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".chm") returned 4 [0060.252] lstrcmpiW (lpString1=".chm", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".cin") returned 4 [0060.252] lstrcmpiW (lpString1=".cin", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".class") returned 6 [0060.252] lstrcmpiW (lpString1=".class", lpString2="me.htm") returned -1 [0060.252] lstrlenW (lpString=".clx") returned 4 [0060.252] lstrcmpiW (lpString1=".clx", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".config") returned 7 [0060.252] lstrcmpiW (lpString1=".config", lpString2="ime.htm") returned -1 [0060.252] lstrlenW (lpString=".cpp") returned 4 [0060.252] lstrcmpiW (lpString1=".cpp", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".cr2") returned 4 [0060.252] lstrcmpiW (lpString1=".cr2", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".crt") returned 4 [0060.252] lstrcmpiW (lpString1=".crt", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".crw") returned 4 [0060.252] lstrcmpiW (lpString1=".crw", lpString2=".htm") returned -1 [0060.252] lstrlenW (lpString=".cs") returned 3 [0060.252] lstrcmpiW (lpString1=".cs", lpString2="htm") returned -1 [0060.252] lstrlenW (lpString=".css") returned 4 [0060.252] lstrcmpiW (lpString1=".css", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".csv") returned 4 [0060.253] lstrcmpiW (lpString1=".csv", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".cub") returned 4 [0060.253] lstrcmpiW (lpString1=".cub", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".dae") returned 4 [0060.253] lstrcmpiW (lpString1=".dae", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".dat") returned 4 [0060.253] lstrcmpiW (lpString1=".dat", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".db") returned 3 [0060.253] lstrcmpiW (lpString1=".db", lpString2="htm") returned -1 [0060.253] lstrlenW (lpString=".dbf") returned 4 [0060.253] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".dbx") returned 4 [0060.253] lstrcmpiW (lpString1=".dbx", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".dc3") returned 4 [0060.253] lstrcmpiW (lpString1=".dc3", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".dcm") returned 4 [0060.253] lstrcmpiW (lpString1=".dcm", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".dcr") returned 4 [0060.253] lstrcmpiW (lpString1=".dcr", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".der") returned 4 [0060.253] lstrcmpiW (lpString1=".der", lpString2=".htm") returned -1 [0060.253] lstrlenW (lpString=".dib") returned 4 [0060.253] lstrcmpiW (lpString1=".dib", lpString2=".htm") returned -1 [0060.254] lstrlenW (lpString=".dic") returned 4 [0060.254] lstrcmpiW (lpString1=".dic", lpString2=".htm") returned -1 [0060.254] lstrlenW (lpString=".dif") returned 4 [0060.254] lstrcmpiW (lpString1=".dif", lpString2=".htm") returned -1 [0060.254] lstrlenW (lpString=".divx") returned 5 [0060.254] lstrcmpiW (lpString1=".divx", lpString2="e.htm") returned -1 [0060.254] lstrlenW (lpString=".djvu") returned 5 [0060.254] lstrcmpiW (lpString1=".djvu", lpString2="e.htm") returned -1 [0060.254] lstrlenW (lpString=".dng") returned 4 [0060.254] lstrcmpiW (lpString1=".dng", lpString2=".htm") returned -1 [0060.254] lstrlenW (lpString=".doc") returned 4 [0060.254] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0060.254] lstrlenW (lpString=".docm") returned 5 [0060.254] lstrcmpiW (lpString1=".docm", lpString2="e.htm") returned -1 [0060.254] lstrlenW (lpString=".docx") returned 5 [0060.254] lstrcmpiW (lpString1=".docx", lpString2="e.htm") returned -1 [0060.254] lstrlenW (lpString=".dot") returned 4 [0060.254] lstrcmpiW (lpString1=".dot", lpString2=".htm") returned -1 [0060.254] lstrlenW (lpString=".dotm") returned 5 [0060.254] lstrcmpiW (lpString1=".dotm", lpString2="e.htm") returned -1 [0060.254] lstrlenW (lpString=".dotx") returned 5 [0060.254] lstrcmpiW (lpString1=".dotx", lpString2="e.htm") returned -1 [0060.254] lstrlenW (lpString=".dpx") returned 4 [0060.254] lstrcmpiW (lpString1=".dpx", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".dqy") returned 4 [0060.255] lstrcmpiW (lpString1=".dqy", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".dsn") returned 4 [0060.255] lstrcmpiW (lpString1=".dsn", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".dt") returned 3 [0060.255] lstrcmpiW (lpString1=".dt", lpString2="htm") returned -1 [0060.255] lstrlenW (lpString=".dtd") returned 4 [0060.255] lstrcmpiW (lpString1=".dtd", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".dwg") returned 4 [0060.255] lstrcmpiW (lpString1=".dwg", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".dwt") returned 4 [0060.255] lstrcmpiW (lpString1=".dwt", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".dx") returned 3 [0060.255] lstrcmpiW (lpString1=".dx", lpString2="htm") returned -1 [0060.255] lstrlenW (lpString=".dxf") returned 4 [0060.255] lstrcmpiW (lpString1=".dxf", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".edml") returned 5 [0060.255] lstrcmpiW (lpString1=".edml", lpString2="e.htm") returned -1 [0060.255] lstrlenW (lpString=".efd") returned 4 [0060.255] lstrcmpiW (lpString1=".efd", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".elf") returned 4 [0060.255] lstrcmpiW (lpString1=".elf", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".emf") returned 4 [0060.255] lstrcmpiW (lpString1=".emf", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".emz") returned 4 [0060.255] lstrcmpiW (lpString1=".emz", lpString2=".htm") returned -1 [0060.255] lstrlenW (lpString=".epf") returned 4 [0060.255] lstrcmpiW (lpString1=".epf", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".eps") returned 4 [0060.256] lstrcmpiW (lpString1=".eps", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".epsf") returned 5 [0060.256] lstrcmpiW (lpString1=".epsf", lpString2="e.htm") returned -1 [0060.256] lstrlenW (lpString=".epsp") returned 5 [0060.256] lstrcmpiW (lpString1=".epsp", lpString2="e.htm") returned -1 [0060.256] lstrlenW (lpString=".erf") returned 4 [0060.256] lstrcmpiW (lpString1=".erf", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".exr") returned 4 [0060.256] lstrcmpiW (lpString1=".exr", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".f4v") returned 4 [0060.256] lstrcmpiW (lpString1=".f4v", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".fido") returned 5 [0060.256] lstrcmpiW (lpString1=".fido", lpString2="e.htm") returned -1 [0060.256] lstrlenW (lpString=".flm") returned 4 [0060.256] lstrcmpiW (lpString1=".flm", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".flv") returned 4 [0060.256] lstrcmpiW (lpString1=".flv", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".frm") returned 4 [0060.256] lstrcmpiW (lpString1=".frm", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".fxg") returned 4 [0060.256] lstrcmpiW (lpString1=".fxg", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".geo") returned 4 [0060.256] lstrcmpiW (lpString1=".geo", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".gif") returned 4 [0060.256] lstrcmpiW (lpString1=".gif", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".grs") returned 4 [0060.256] lstrcmpiW (lpString1=".grs", lpString2=".htm") returned -1 [0060.256] lstrlenW (lpString=".gz") returned 3 [0060.257] lstrcmpiW (lpString1=".gz", lpString2="htm") returned -1 [0060.257] lstrlenW (lpString=".h") returned 2 [0060.257] lstrcmpiW (lpString1=".h", lpString2="tm") returned -1 [0060.257] lstrlenW (lpString=".hdr") returned 4 [0060.257] lstrcmpiW (lpString1=".hdr", lpString2=".htm") returned -1 [0060.257] lstrlenW (lpString=".hpp") returned 4 [0060.257] lstrcmpiW (lpString1=".hpp", lpString2=".htm") returned -1 [0060.257] lstrlenW (lpString=".hta") returned 4 [0060.257] lstrcmpiW (lpString1=".hta", lpString2=".htm") returned -1 [0060.257] lstrlenW (lpString=".htc") returned 4 [0060.257] lstrcmpiW (lpString1=".htc", lpString2=".htm") returned -1 [0060.257] lstrlenW (lpString=".htm") returned 4 [0060.257] lstrcmpiW (lpString1=".htm", lpString2=".htm") returned 0 [0060.257] FindNextFileW (in: hFindFile=0x3814370, lpFindFileData=0x3a6f58c | out: lpFindFileData=0x3a6f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ffe6ce0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7ffe6ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Esl", cAlternateFileName="")) returned 1 [0060.257] lstrlenW (lpString="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl") returned 44 [0060.257] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl") returned 1 [0060.257] lstrlenW (lpString="Esl") returned 3 [0060.257] lstrcmpiW (lpString1="C:\\Windows", lpString2="Esl") returned -1 [0060.257] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfffe) returned 0x3750060 [0060.258] lstrlenW (lpString="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl") returned 44 [0060.258] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*", lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ffe6ce0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7ffe6ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x38141f0 [0060.259] FindNextFileW (in: hFindFile=0x38141f0, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ffe6ce0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7ffe6ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.259] FindNextFileW (in: hFindFile=0x38141f0, lpFindFileData=0x3a6f310 | out: lpFindFileData=0x3a6f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x19798, dwReserved0=0x0, dwReserved1=0x0, cFileName="AiodLite.dll", cAlternateFileName="")) returned 1 [0060.259] lstrlenW (lpString="AiodLite.dll") returned 12 [0060.259] lstrlenW (lpString=".1cd") returned 4 [0060.259] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0060.259] lstrlenW (lpString=".3ds") returned 4 [0060.259] lstrcmpiW (lpString1=".3ds", lpString2=".dll") returned -1 [0060.259] lstrlenW (lpString=".3fr") returned 4 [0060.259] lstrcmpiW (lpString1=".3fr", lpString2=".dll") returned -1 [0060.259] lstrlenW (lpString=".3g2") returned 4 [0060.259] lstrcmpiW (lpString1=".3g2", lpString2=".dll") returned -1 [0060.259] lstrlenW (lpString=".3gp") returned 4 [0060.259] lstrcmpiW (lpString1=".3gp", lpString2=".dll") returned -1 [0060.259] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0060.259] lstrcmpiW (lpString1=".accda", lpString2="te.dll") returned -1 [0063.697] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\da_DK\\Services\\*", lpFindFileData=0x3a6eb9c | out: lpFindFileData=0x3a6eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81f971c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81fe3480, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81fe3480, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x38144b0 [0063.744] FindNextFileW (in: hFindFile=0x38144b0, lpFindFileData=0x3a6eb9c | out: lpFindFileData=0x3a6eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81f971c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81fe3480, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81fe3480, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.744] FindNextFileW (in: hFindFile=0x38144b0, lpFindFileData=0x3a6eb9c | out: lpFindFileData=0x3a6eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81fe3480, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x8ca7, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEXShare.asfx", cAlternateFileName="DEXSHA~1.ASF")) returned 1 [0063.744] FindClose (in: hFindFile=0x38144b0 | out: hFindFile=0x38144b0) returned 1 [0063.751] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3fa60e0 | out: hHeap=0x500000) returned 1 [0063.751] FindNextFileW (in: hFindFile=0x3814430, lpFindFileData=0x3a6ee18 | out: lpFindFileData=0x3a6ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7ddfb360, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Spelling.DAN", cAlternateFileName="")) returned 1 [0063.751] lstrlenW (lpString="Spelling.DAN") returned 12 [0063.751] lstrlenW (lpString=".1cd") returned 4 [0063.751] lstrcmpiW (lpString1=".1cd", lpString2=".DAN") returned -1 [0063.751] lstrlenW (lpString=".3ds") returned 4 [0063.751] lstrcmpiW (lpString1=".3ds", lpString2=".DAN") returned -1 [0063.751] lstrlenW (lpString=".3fr") returned 4 [0063.751] lstrcmpiW (lpString1=".3fr", lpString2=".DAN") returned -1 [0063.751] lstrlenW (lpString=".3g2") returned 4 [0063.751] lstrcmpiW (lpString1=".3g2", lpString2=".DAN") returned -1 [0063.751] lstrlenW (lpString=".3gp") returned 4 [0063.751] lstrcmpiW (lpString1=".3gp", lpString2=".DAN") returned -1 [0063.751] lstrlenW (lpString=".7z") returned 3 [0063.751] lstrcmpiW (lpString1=".7z", lpString2="DAN") returned -1 [0063.751] lstrlenW (lpString=".accda") returned 6 [0063.751] lstrcmpiW (lpString1=".accda", lpString2="ng.DAN") returned -1 [0063.751] lstrlenW (lpString=".accdb") returned 6 [0063.751] lstrcmpiW (lpString1=".accdb", lpString2="ng.DAN") returned -1 [0063.751] lstrlenW (lpString=".accdc") returned 6 [0063.751] lstrcmpiW (lpString1=".accdc", lpString2="ng.DAN") returned -1 [0063.751] lstrlenW (lpString=".accde") returned 6 [0063.751] lstrcmpiW (lpString1=".accde", lpString2="ng.DAN") returned -1 [0063.752] lstrlenW (lpString=".accdt") returned 6 [0063.752] lstrcmpiW (lpString1=".accdt", lpString2="ng.DAN") returned -1 [0063.752] lstrlenW (lpString=".accdw") returned 6 [0063.752] lstrcmpiW (lpString1=".accdw", lpString2="ng.DAN") returned -1 [0063.752] lstrlenW (lpString=".adb") returned 4 [0063.752] lstrcmpiW (lpString1=".adb", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".adp") returned 4 [0063.752] lstrcmpiW (lpString1=".adp", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".ai") returned 3 [0063.752] lstrcmpiW (lpString1=".ai", lpString2="DAN") returned -1 [0063.752] lstrlenW (lpString=".ai3") returned 4 [0063.752] lstrcmpiW (lpString1=".ai3", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".ai4") returned 4 [0063.752] lstrcmpiW (lpString1=".ai4", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".ai5") returned 4 [0063.752] lstrcmpiW (lpString1=".ai5", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".ai6") returned 4 [0063.752] lstrcmpiW (lpString1=".ai6", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".ai7") returned 4 [0063.752] lstrcmpiW (lpString1=".ai7", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".ai8") returned 4 [0063.752] lstrcmpiW (lpString1=".ai8", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".anim") returned 5 [0063.752] lstrcmpiW (lpString1=".anim", lpString2="g.DAN") returned -1 [0063.752] lstrlenW (lpString=".arw") returned 4 [0063.752] lstrcmpiW (lpString1=".arw", lpString2=".DAN") returned -1 [0063.752] lstrlenW (lpString=".as") returned 3 [0063.752] lstrcmpiW (lpString1=".as", lpString2="DAN") returned -1 [0063.752] lstrlenW (lpString=".asa") returned 4 [0063.753] lstrcmpiW (lpString1=".asa", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".asc") returned 4 [0063.753] lstrcmpiW (lpString1=".asc", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".ascx") returned 5 [0063.753] lstrcmpiW (lpString1=".ascx", lpString2="g.DAN") returned -1 [0063.753] lstrlenW (lpString=".asm") returned 4 [0063.753] lstrcmpiW (lpString1=".asm", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".asmx") returned 5 [0063.753] lstrcmpiW (lpString1=".asmx", lpString2="g.DAN") returned -1 [0063.753] lstrlenW (lpString=".asp") returned 4 [0063.753] lstrcmpiW (lpString1=".asp", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".aspx") returned 5 [0063.753] lstrcmpiW (lpString1=".aspx", lpString2="g.DAN") returned -1 [0063.753] lstrlenW (lpString=".asr") returned 4 [0063.753] lstrcmpiW (lpString1=".asr", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".asx") returned 4 [0063.753] lstrcmpiW (lpString1=".asx", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".avi") returned 4 [0063.753] lstrcmpiW (lpString1=".avi", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".avs") returned 4 [0063.753] lstrcmpiW (lpString1=".avs", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".backup") returned 7 [0063.753] lstrcmpiW (lpString1=".backup", lpString2="ing.DAN") returned -1 [0063.753] lstrlenW (lpString=".bak") returned 4 [0063.753] lstrcmpiW (lpString1=".bak", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".bay") returned 4 [0063.753] lstrcmpiW (lpString1=".bay", lpString2=".DAN") returned -1 [0063.753] lstrlenW (lpString=".bd") returned 3 [0063.753] lstrcmpiW (lpString1=".bd", lpString2="DAN") returned -1 [0063.754] lstrlenW (lpString=".bin") returned 4 [0063.754] lstrcmpiW (lpString1=".bin", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".bmp") returned 4 [0063.754] lstrcmpiW (lpString1=".bmp", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".bz2") returned 4 [0063.754] lstrcmpiW (lpString1=".bz2", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".c") returned 2 [0063.754] lstrcmpiW (lpString1=".c", lpString2="AN") returned -1 [0063.754] lstrlenW (lpString=".cdr") returned 4 [0063.754] lstrcmpiW (lpString1=".cdr", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".cer") returned 4 [0063.754] lstrcmpiW (lpString1=".cer", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".cf") returned 3 [0063.754] lstrcmpiW (lpString1=".cf", lpString2="DAN") returned -1 [0063.754] lstrlenW (lpString=".cfc") returned 4 [0063.754] lstrcmpiW (lpString1=".cfc", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".cfm") returned 4 [0063.754] lstrcmpiW (lpString1=".cfm", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".cfml") returned 5 [0063.754] lstrcmpiW (lpString1=".cfml", lpString2="g.DAN") returned -1 [0063.754] lstrlenW (lpString=".cfu") returned 4 [0063.754] lstrcmpiW (lpString1=".cfu", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".chm") returned 4 [0063.754] lstrcmpiW (lpString1=".chm", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".cin") returned 4 [0063.754] lstrcmpiW (lpString1=".cin", lpString2=".DAN") returned -1 [0063.754] lstrlenW (lpString=".class") returned 6 [0063.754] lstrcmpiW (lpString1=".class", lpString2="ng.DAN") returned -1 [0063.754] lstrlenW (lpString=".clx") returned 4 [0063.754] lstrcmpiW (lpString1=".clx", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".config") returned 7 [0063.755] lstrcmpiW (lpString1=".config", lpString2="ing.DAN") returned -1 [0063.755] lstrlenW (lpString=".cpp") returned 4 [0063.755] lstrcmpiW (lpString1=".cpp", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".cr2") returned 4 [0063.755] lstrcmpiW (lpString1=".cr2", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".crt") returned 4 [0063.755] lstrcmpiW (lpString1=".crt", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".crw") returned 4 [0063.755] lstrcmpiW (lpString1=".crw", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".cs") returned 3 [0063.755] lstrcmpiW (lpString1=".cs", lpString2="DAN") returned -1 [0063.755] lstrlenW (lpString=".css") returned 4 [0063.755] lstrcmpiW (lpString1=".css", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".csv") returned 4 [0063.755] lstrcmpiW (lpString1=".csv", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".cub") returned 4 [0063.755] lstrcmpiW (lpString1=".cub", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".dae") returned 4 [0063.755] lstrcmpiW (lpString1=".dae", lpString2=".DAN") returned -1 [0063.755] lstrlenW (lpString=".dat") returned 4 [0063.755] lstrcmpiW (lpString1=".dat", lpString2=".DAN") returned 1 [0063.755] lstrlenW (lpString=".db") returned 3 [0063.755] lstrcmpiW (lpString1=".db", lpString2="DAN") returned -1 [0063.755] lstrlenW (lpString=".dbf") returned 4 [0063.755] lstrcmpiW (lpString1=".dbf", lpString2=".DAN") returned 1 [0063.755] lstrlenW (lpString=".dbx") returned 4 [0063.755] lstrcmpiW (lpString1=".dbx", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".dc3") returned 4 [0063.756] lstrcmpiW (lpString1=".dc3", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".dcm") returned 4 [0063.756] lstrcmpiW (lpString1=".dcm", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".dcr") returned 4 [0063.756] lstrcmpiW (lpString1=".dcr", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".der") returned 4 [0063.756] lstrcmpiW (lpString1=".der", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".dib") returned 4 [0063.756] lstrcmpiW (lpString1=".dib", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".dic") returned 4 [0063.756] lstrcmpiW (lpString1=".dic", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".dif") returned 4 [0063.756] lstrcmpiW (lpString1=".dif", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".divx") returned 5 [0063.756] lstrcmpiW (lpString1=".divx", lpString2="g.DAN") returned -1 [0063.756] lstrlenW (lpString=".djvu") returned 5 [0063.756] lstrcmpiW (lpString1=".djvu", lpString2="g.DAN") returned -1 [0063.756] lstrlenW (lpString=".dng") returned 4 [0063.756] lstrcmpiW (lpString1=".dng", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".doc") returned 4 [0063.756] lstrcmpiW (lpString1=".doc", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".docm") returned 5 [0063.756] lstrcmpiW (lpString1=".docm", lpString2="g.DAN") returned -1 [0063.756] lstrlenW (lpString=".docx") returned 5 [0063.756] lstrcmpiW (lpString1=".docx", lpString2="g.DAN") returned -1 [0063.756] lstrlenW (lpString=".dot") returned 4 [0063.756] lstrcmpiW (lpString1=".dot", lpString2=".DAN") returned 1 [0063.756] lstrlenW (lpString=".dotm") returned 5 [0063.757] lstrcmpiW (lpString1=".dotm", lpString2="g.DAN") returned -1 [0063.757] lstrlenW (lpString=".dotx") returned 5 [0063.757] lstrcmpiW (lpString1=".dotx", lpString2="g.DAN") returned -1 [0063.757] lstrlenW (lpString=".dpx") returned 4 [0063.757] lstrcmpiW (lpString1=".dpx", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".dqy") returned 4 [0063.757] lstrcmpiW (lpString1=".dqy", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".dsn") returned 4 [0063.757] lstrcmpiW (lpString1=".dsn", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".dt") returned 3 [0063.757] lstrcmpiW (lpString1=".dt", lpString2="DAN") returned -1 [0063.757] lstrlenW (lpString=".dtd") returned 4 [0063.757] lstrcmpiW (lpString1=".dtd", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".dwg") returned 4 [0063.757] lstrcmpiW (lpString1=".dwg", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".dwt") returned 4 [0063.757] lstrcmpiW (lpString1=".dwt", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".dx") returned 3 [0063.757] lstrcmpiW (lpString1=".dx", lpString2="DAN") returned -1 [0063.757] lstrlenW (lpString=".dxf") returned 4 [0063.757] lstrcmpiW (lpString1=".dxf", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".edml") returned 5 [0063.757] lstrcmpiW (lpString1=".edml", lpString2="g.DAN") returned -1 [0063.757] lstrlenW (lpString=".efd") returned 4 [0063.757] lstrcmpiW (lpString1=".efd", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".elf") returned 4 [0063.757] lstrcmpiW (lpString1=".elf", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".emf") returned 4 [0063.757] lstrcmpiW (lpString1=".emf", lpString2=".DAN") returned 1 [0063.757] lstrlenW (lpString=".emz") returned 4 [0063.758] lstrcmpiW (lpString1=".emz", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".epf") returned 4 [0063.758] lstrcmpiW (lpString1=".epf", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".eps") returned 4 [0063.758] lstrcmpiW (lpString1=".eps", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".epsf") returned 5 [0063.758] lstrcmpiW (lpString1=".epsf", lpString2="g.DAN") returned -1 [0063.758] lstrlenW (lpString=".epsp") returned 5 [0063.758] lstrcmpiW (lpString1=".epsp", lpString2="g.DAN") returned -1 [0063.758] lstrlenW (lpString=".erf") returned 4 [0063.758] lstrcmpiW (lpString1=".erf", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".exr") returned 4 [0063.758] lstrcmpiW (lpString1=".exr", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".f4v") returned 4 [0063.758] lstrcmpiW (lpString1=".f4v", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".fido") returned 5 [0063.758] lstrcmpiW (lpString1=".fido", lpString2="g.DAN") returned -1 [0063.758] lstrlenW (lpString=".flm") returned 4 [0063.758] lstrcmpiW (lpString1=".flm", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".flv") returned 4 [0063.758] lstrcmpiW (lpString1=".flv", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".frm") returned 4 [0063.758] lstrcmpiW (lpString1=".frm", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".fxg") returned 4 [0063.758] lstrcmpiW (lpString1=".fxg", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".geo") returned 4 [0063.758] lstrcmpiW (lpString1=".geo", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".gif") returned 4 [0063.758] lstrcmpiW (lpString1=".gif", lpString2=".DAN") returned 1 [0063.758] lstrlenW (lpString=".grs") returned 4 [0063.759] lstrcmpiW (lpString1=".grs", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".gz") returned 3 [0063.759] lstrcmpiW (lpString1=".gz", lpString2="DAN") returned -1 [0063.759] lstrlenW (lpString=".h") returned 2 [0063.759] lstrcmpiW (lpString1=".h", lpString2="AN") returned -1 [0063.759] lstrlenW (lpString=".hdr") returned 4 [0063.759] lstrcmpiW (lpString1=".hdr", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".hpp") returned 4 [0063.759] lstrcmpiW (lpString1=".hpp", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".hta") returned 4 [0063.759] lstrcmpiW (lpString1=".hta", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".htc") returned 4 [0063.759] lstrcmpiW (lpString1=".htc", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".htm") returned 4 [0063.759] lstrcmpiW (lpString1=".htm", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".html") returned 5 [0063.759] lstrcmpiW (lpString1=".html", lpString2="g.DAN") returned -1 [0063.759] lstrlenW (lpString=".icb") returned 4 [0063.759] lstrcmpiW (lpString1=".icb", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".ics") returned 4 [0063.759] lstrcmpiW (lpString1=".ics", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".iff") returned 4 [0063.759] lstrcmpiW (lpString1=".iff", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".inc") returned 4 [0063.759] lstrcmpiW (lpString1=".inc", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".indd") returned 5 [0063.759] lstrcmpiW (lpString1=".indd", lpString2="g.DAN") returned -1 [0063.759] lstrlenW (lpString=".ini") returned 4 [0063.759] lstrcmpiW (lpString1=".ini", lpString2=".DAN") returned 1 [0063.759] lstrlenW (lpString=".iqy") returned 4 [0063.760] lstrcmpiW (lpString1=".iqy", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".j2c") returned 4 [0063.760] lstrcmpiW (lpString1=".j2c", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".j2k") returned 4 [0063.760] lstrcmpiW (lpString1=".j2k", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".java") returned 5 [0063.760] lstrcmpiW (lpString1=".java", lpString2="g.DAN") returned -1 [0063.760] lstrlenW (lpString=".jp2") returned 4 [0063.760] lstrcmpiW (lpString1=".jp2", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".jpc") returned 4 [0063.760] lstrcmpiW (lpString1=".jpc", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".jpe") returned 4 [0063.760] lstrcmpiW (lpString1=".jpe", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".jpeg") returned 5 [0063.760] lstrcmpiW (lpString1=".jpeg", lpString2="g.DAN") returned -1 [0063.760] lstrlenW (lpString=".jpf") returned 4 [0063.760] lstrcmpiW (lpString1=".jpf", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".jpg") returned 4 [0063.760] lstrcmpiW (lpString1=".jpg", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".jpx") returned 4 [0063.760] lstrcmpiW (lpString1=".jpx", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".js") returned 3 [0063.760] lstrcmpiW (lpString1=".js", lpString2="DAN") returned -1 [0063.760] lstrlenW (lpString=".jsf") returned 4 [0063.760] lstrcmpiW (lpString1=".jsf", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".json") returned 5 [0063.760] lstrcmpiW (lpString1=".json", lpString2="g.DAN") returned -1 [0063.760] lstrlenW (lpString=".jsp") returned 4 [0063.760] lstrcmpiW (lpString1=".jsp", lpString2=".DAN") returned 1 [0063.760] lstrlenW (lpString=".kdc") returned 4 [0063.761] lstrcmpiW (lpString1=".kdc", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".kmz") returned 4 [0063.761] lstrcmpiW (lpString1=".kmz", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".kwm") returned 4 [0063.761] lstrcmpiW (lpString1=".kwm", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".lasso") returned 6 [0063.761] lstrcmpiW (lpString1=".lasso", lpString2="ng.DAN") returned -1 [0063.761] lstrlenW (lpString=".lbi") returned 4 [0063.761] lstrcmpiW (lpString1=".lbi", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".lgf") returned 4 [0063.761] lstrcmpiW (lpString1=".lgf", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".lgp") returned 4 [0063.761] lstrcmpiW (lpString1=".lgp", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".log") returned 4 [0063.761] lstrcmpiW (lpString1=".log", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".m1v") returned 4 [0063.761] lstrcmpiW (lpString1=".m1v", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".m4a") returned 4 [0063.761] lstrcmpiW (lpString1=".m4a", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".m4v") returned 4 [0063.761] lstrcmpiW (lpString1=".m4v", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".max") returned 4 [0063.761] lstrcmpiW (lpString1=".max", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".md") returned 3 [0063.761] lstrcmpiW (lpString1=".md", lpString2="DAN") returned -1 [0063.761] lstrlenW (lpString=".mda") returned 4 [0063.761] lstrcmpiW (lpString1=".mda", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".mdb") returned 4 [0063.761] lstrcmpiW (lpString1=".mdb", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".mde") returned 4 [0063.761] lstrcmpiW (lpString1=".mde", lpString2=".DAN") returned 1 [0063.761] lstrlenW (lpString=".mdf") returned 4 [0063.762] lstrcmpiW (lpString1=".mdf", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mdw") returned 4 [0063.762] lstrcmpiW (lpString1=".mdw", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mef") returned 4 [0063.762] lstrcmpiW (lpString1=".mef", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mft") returned 4 [0063.762] lstrcmpiW (lpString1=".mft", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mfw") returned 4 [0063.762] lstrcmpiW (lpString1=".mfw", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mht") returned 4 [0063.762] lstrcmpiW (lpString1=".mht", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mhtml") returned 6 [0063.762] lstrcmpiW (lpString1=".mhtml", lpString2="ng.DAN") returned -1 [0063.762] lstrlenW (lpString=".mka") returned 4 [0063.762] lstrcmpiW (lpString1=".mka", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mkidx") returned 6 [0063.762] lstrcmpiW (lpString1=".mkidx", lpString2="ng.DAN") returned -1 [0063.762] lstrlenW (lpString=".mkv") returned 4 [0063.762] lstrcmpiW (lpString1=".mkv", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mos") returned 4 [0063.762] lstrcmpiW (lpString1=".mos", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mov") returned 4 [0063.762] lstrcmpiW (lpString1=".mov", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mp3") returned 4 [0063.762] lstrcmpiW (lpString1=".mp3", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mp4") returned 4 [0063.762] lstrcmpiW (lpString1=".mp4", lpString2=".DAN") returned 1 [0063.762] lstrlenW (lpString=".mpeg") returned 5 [0063.762] lstrcmpiW (lpString1=".mpeg", lpString2="g.DAN") returned -1 [0063.762] lstrlenW (lpString=".mpg") returned 4 [0063.762] lstrcmpiW (lpString1=".mpg", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".mpv") returned 4 [0063.763] lstrcmpiW (lpString1=".mpv", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".mrw") returned 4 [0063.763] lstrcmpiW (lpString1=".mrw", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".msg") returned 4 [0063.763] lstrcmpiW (lpString1=".msg", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".mxl") returned 4 [0063.763] lstrcmpiW (lpString1=".mxl", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".myd") returned 4 [0063.763] lstrcmpiW (lpString1=".myd", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".myi") returned 4 [0063.763] lstrcmpiW (lpString1=".myi", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".nef") returned 4 [0063.763] lstrcmpiW (lpString1=".nef", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".nrw") returned 4 [0063.763] lstrcmpiW (lpString1=".nrw", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".obj") returned 4 [0063.763] lstrcmpiW (lpString1=".obj", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".odb") returned 4 [0063.763] lstrcmpiW (lpString1=".odb", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".odc") returned 4 [0063.763] lstrcmpiW (lpString1=".odc", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".odm") returned 4 [0063.763] lstrcmpiW (lpString1=".odm", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".odp") returned 4 [0063.763] lstrcmpiW (lpString1=".odp", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".ods") returned 4 [0063.763] lstrcmpiW (lpString1=".ods", lpString2=".DAN") returned 1 [0063.763] lstrlenW (lpString=".oft") returned 4 [0063.763] lstrcmpiW (lpString1=".oft", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".one") returned 4 [0063.764] lstrcmpiW (lpString1=".one", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".onepkg") returned 7 [0063.764] lstrcmpiW (lpString1=".onepkg", lpString2="ing.DAN") returned -1 [0063.764] lstrlenW (lpString=".onetoc2") returned 8 [0063.764] lstrcmpiW (lpString1=".onetoc2", lpString2="ling.DAN") returned -1 [0063.764] lstrlenW (lpString=".opt") returned 4 [0063.764] lstrcmpiW (lpString1=".opt", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".oqy") returned 4 [0063.764] lstrcmpiW (lpString1=".oqy", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".orf") returned 4 [0063.764] lstrcmpiW (lpString1=".orf", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".p12") returned 4 [0063.764] lstrcmpiW (lpString1=".p12", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".p7b") returned 4 [0063.764] lstrcmpiW (lpString1=".p7b", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".p7c") returned 4 [0063.764] lstrcmpiW (lpString1=".p7c", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".pam") returned 4 [0063.764] lstrcmpiW (lpString1=".pam", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".pbm") returned 4 [0063.764] lstrcmpiW (lpString1=".pbm", lpString2=".DAN") returned 1 [0063.764] lstrlenW (lpString=".pct") returned 4 [0063.765] lstrcmpiW (lpString1=".pct", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pcx") returned 4 [0063.765] lstrcmpiW (lpString1=".pcx", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pdd") returned 4 [0063.765] lstrcmpiW (lpString1=".pdd", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pdf") returned 4 [0063.765] lstrcmpiW (lpString1=".pdf", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pdp") returned 4 [0063.765] lstrcmpiW (lpString1=".pdp", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pef") returned 4 [0063.765] lstrcmpiW (lpString1=".pef", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pem") returned 4 [0063.765] lstrcmpiW (lpString1=".pem", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pff") returned 4 [0063.765] lstrcmpiW (lpString1=".pff", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pfm") returned 4 [0063.765] lstrcmpiW (lpString1=".pfm", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pfx") returned 4 [0063.765] lstrcmpiW (lpString1=".pfx", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".pgm") returned 4 [0063.765] lstrcmpiW (lpString1=".pgm", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".php") returned 4 [0063.765] lstrcmpiW (lpString1=".php", lpString2=".DAN") returned 1 [0063.765] lstrlenW (lpString=".php3") returned 5 [0063.765] lstrcmpiW (lpString1=".php3", lpString2="g.DAN") returned -1 [0063.765] lstrlenW (lpString=".php4") returned 5 [0063.765] lstrcmpiW (lpString1=".php4", lpString2="g.DAN") returned -1 [0063.765] lstrlenW (lpString=".php5") returned 5 [0063.765] lstrcmpiW (lpString1=".php5", lpString2="g.DAN") returned -1 [0063.765] lstrlenW (lpString=".phtml") returned 6 [0063.766] lstrcmpiW (lpString1=".phtml", lpString2="ng.DAN") returned -1 [0063.766] lstrlenW (lpString=".pict") returned 5 [0063.766] lstrcmpiW (lpString1=".pict", lpString2="g.DAN") returned -1 [0063.766] lstrlenW (lpString=".pl") returned 3 [0063.766] lstrcmpiW (lpString1=".pl", lpString2="DAN") returned -1 [0063.766] lstrlenW (lpString=".pls") returned 4 [0063.766] lstrcmpiW (lpString1=".pls", lpString2=".DAN") returned 1 [0063.766] lstrlenW (lpString=".pm") returned 3 [0063.766] lstrcmpiW (lpString1=".pm", lpString2="DAN") returned -1 [0063.766] lstrlenW (lpString=".png") returned 4 [0063.766] lstrcmpiW (lpString1=".png", lpString2=".DAN") returned 1 [0063.766] lstrlenW (lpString=".pnm") returned 4 [0063.766] lstrcmpiW (lpString1=".pnm", lpString2=".DAN") returned 1 [0063.766] lstrlenW (lpString=".pot") returned 4 [0063.766] lstrcmpiW (lpString1=".pot", lpString2=".DAN") returned 1 [0063.766] lstrlenW (lpString=".potm") returned 5 [0063.766] lstrcmpiW (lpString1=".potm", lpString2="g.DAN") returned -1 [0063.766] lstrlenW (lpString=".potx") returned 5 [0063.766] lstrcmpiW (lpString1=".potx", lpString2="g.DAN") returned -1 [0063.766] lstrlenW (lpString=".ppa") returned 4 [0063.766] lstrcmpiW (lpString1=".ppa", lpString2=".DAN") returned 1 [0063.766] lstrlenW (lpString=".ppam") returned 5 [0063.766] lstrcmpiW (lpString1=".ppam", lpString2="g.DAN") returned -1 [0063.766] lstrlenW (lpString=".ppm") returned 4 [0063.766] lstrcmpiW (lpString1=".ppm", lpString2=".DAN") returned 1 [0063.766] lstrlenW (lpString=".pps") returned 4 [0063.766] lstrcmpiW (lpString1=".pps", lpString2=".DAN") returned 1 [0063.766] lstrlenW (lpString=".ppsm") returned 5 [0063.766] lstrcmpiW (lpString1=".ppsm", lpString2="g.DAN") returned -1 [0063.767] lstrlenW (lpString=".ppt") returned 4 [0063.767] lstrcmpiW (lpString1=".ppt", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".pptm") returned 5 [0063.767] lstrcmpiW (lpString1=".pptm", lpString2="g.DAN") returned -1 [0063.767] lstrlenW (lpString=".pptx") returned 5 [0063.767] lstrcmpiW (lpString1=".pptx", lpString2="g.DAN") returned -1 [0063.767] lstrlenW (lpString=".prn") returned 4 [0063.767] lstrcmpiW (lpString1=".prn", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".ps") returned 3 [0063.767] lstrcmpiW (lpString1=".ps", lpString2="DAN") returned -1 [0063.767] lstrlenW (lpString=".psb") returned 4 [0063.767] lstrcmpiW (lpString1=".psb", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".psd") returned 4 [0063.767] lstrcmpiW (lpString1=".psd", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".pst") returned 4 [0063.767] lstrcmpiW (lpString1=".pst", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".ptx") returned 4 [0063.767] lstrcmpiW (lpString1=".ptx", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".pub") returned 4 [0063.767] lstrcmpiW (lpString1=".pub", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".pwm") returned 4 [0063.767] lstrcmpiW (lpString1=".pwm", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".pxr") returned 4 [0063.767] lstrcmpiW (lpString1=".pxr", lpString2=".DAN") returned 1 [0063.767] lstrlenW (lpString=".py") returned 3 [0063.767] lstrcmpiW (lpString1=".py", lpString2="DAN") returned -1 [0063.767] lstrlenW (lpString=".qt") returned 3 [0063.768] lstrcmpiW (lpString1=".qt", lpString2="DAN") returned -1 [0063.768] lstrlenW (lpString=".r3d") returned 4 [0063.768] lstrcmpiW (lpString1=".r3d", lpString2=".DAN") returned 1 [0063.768] lstrlenW (lpString=".raf") returned 4 [0063.768] lstrcmpiW (lpString1=".raf", lpString2=".DAN") returned 1 [0063.768] lstrlenW (lpString=".rar") returned 4 [0063.768] lstrcmpiW (lpString1=".rar", lpString2=".DAN") returned 1 [0063.768] lstrlenW (lpString=".raw") returned 4 [0063.768] lstrcmpiW (lpString1=".raw", lpString2=".DAN") returned 1 [0063.768] FindClose (in: hFindFile=0x3814430 | out: hFindFile=0x3814430) returned 1 [0063.769] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x3f960d8 | out: hHeap=0x500000) returned 1 [0063.769] FindNextFileW (in: hFindFile=0x3814470, lpFindFileData=0x3a6f094 | out: lpFindFileData=0x3a6f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d723420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x82f5c380, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x82f5c380, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de_DE", cAlternateFileName="")) returned 1 [0063.769] FindFirstFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\de_DE\\*", lpFindFileData=0x3a6ee18) Thread: id = 20 os_tid = 0xb34 Thread: id = 22 os_tid = 0xb5c Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4d0c8000" os_pid = "0xa8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x5a8" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0xa80 [0036.303] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efc50 | out: lpSystemTimeAsFileTime=0x2efc50*(dwLowDateTime=0x8e4a2340, dwHighDateTime=0x1d5eb2e)) [0036.303] GetCurrentProcessId () returned 0xa8c [0036.303] GetCurrentThreadId () returned 0xa80 [0036.303] GetTickCount () returned 0x11437d3 [0036.303] QueryPerformanceCounter (in: lpPerformanceCount=0x2efc58 | out: lpPerformanceCount=0x2efc58*=15705872303) returned 1 [0036.304] GetModuleHandleW (lpModuleName=0x0) returned 0x4a020000 [0036.304] __set_app_type (_Type=0x1) [0036.304] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a047810) returned 0x0 [0036.304] __getmainargs (in: _Argc=0x4a06a608, _Argv=0x4a06a618, _Env=0x4a06a610, _DoWildCard=0, _StartInfo=0x4a04e0f4 | out: _Argc=0x4a06a608, _Argv=0x4a06a618, _Env=0x4a06a610) returned 0 [0036.304] GetCurrentThreadId () returned 0xa80 [0036.304] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa80) returned 0x3c [0036.305] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0036.305] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0036.305] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0036.306] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.306] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efbe8 | out: phkResult=0x2efbe8*=0x0) returned 0x2 [0036.306] VirtualQuery (in: lpAddress=0x2efbd0, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0036.306] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0036.306] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0036.306] VirtualQuery (in: lpAddress=0x1f4000, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x1f4000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0036.306] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0036.306] GetConsoleOutputCP () returned 0x1b5 [0036.306] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a05bfe0 | out: lpCPInfo=0x4a05bfe0) returned 1 [0036.306] SetConsoleCtrlHandler (HandlerRoutine=0x4a043184, Add=1) returned 1 [0036.306] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.306] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0036.307] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.307] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a04e194 | out: lpMode=0x4a04e194) returned 0 [0036.307] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.307] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a04e198 | out: lpMode=0x4a04e198) returned 0 [0036.307] GetEnvironmentStringsW () returned 0x3e8a60* [0036.307] GetProcessHeap () returned 0x3d0000 [0036.307] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xa7c) returned 0x3e94f0 [0036.307] FreeEnvironmentStringsW (penv=0x3e8a60) returned 1 [0036.307] GetProcessHeap () returned 0x3d0000 [0036.307] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x8) returned 0x3e88e0 [0036.307] GetEnvironmentStringsW () returned 0x3e8a60* [0036.307] GetProcessHeap () returned 0x3d0000 [0036.307] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xa7c) returned 0x3e9f80 [0036.308] FreeEnvironmentStringsW (penv=0x3e8a60) returned 1 [0036.308] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeaa8 | out: phkResult=0x2eeaa8*=0x44) returned 0x0 [0036.308] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x18, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0036.308] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x1, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0036.308] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x1, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0036.308] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x0, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0036.308] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x40, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0036.308] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x40, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0036.308] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x40, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0036.308] RegCloseKey (hKey=0x44) returned 0x0 [0036.309] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeaa8 | out: phkResult=0x2eeaa8*=0x44) returned 0x0 [0036.309] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x40, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0036.309] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x1, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0036.309] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x1, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0036.309] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x0, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0036.309] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x9, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0036.309] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x9, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0036.309] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x9, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0036.309] RegCloseKey (hKey=0x44) returned 0x0 [0036.309] time (in: timer=0x0 | out: timer=0x0) returned 0x5e53f82e [0036.309] srand (_Seed=0x5e53f82e) [0036.309] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0036.309] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0036.309] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a05c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0036.309] GetProcessHeap () returned 0x3d0000 [0036.309] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x218) returned 0x3eaa10 [0036.309] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3eaa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0036.310] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.310] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.310] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0036.310] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0036.310] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0036.310] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0036.310] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0036.310] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0036.310] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0036.310] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0036.310] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0036.310] GetProcessHeap () returned 0x3d0000 [0036.310] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e94f0 | out: hHeap=0x3d0000) returned 1 [0036.310] GetEnvironmentStringsW () returned 0x3e8a60* [0036.310] GetProcessHeap () returned 0x3d0000 [0036.310] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xa94) returned 0x3eac30 [0036.310] FreeEnvironmentStringsW (penv=0x3e8a60) returned 1 [0036.310] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.310] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.310] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.310] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.310] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.310] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.310] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.310] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.311] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.311] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.311] GetProcessHeap () returned 0x3d0000 [0036.311] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x5c) returned 0x3eb6d0 [0036.311] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef8b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0036.311] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef8b0, lpFilePart=0x2ef890 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef890*="Desktop") returned 0x25 [0036.311] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0036.311] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef5c0 | out: lpFindFileData=0x2ef5c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x3eb740 [0036.311] FindClose (in: hFindFile=0x3eb740 | out: hFindFile=0x3eb740) returned 1 [0036.311] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef5c0 | out: lpFindFileData=0x2ef5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3eb740 [0036.311] FindClose (in: hFindFile=0x3eb740 | out: hFindFile=0x3eb740) returned 1 [0036.311] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0036.311] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef5c0 | out: lpFindFileData=0x2ef5c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x86d80280, ftLastAccessTime.dwHighDateTime=0x1d5eb2e, ftLastWriteTime.dwLowDateTime=0x86d80280, ftLastWriteTime.dwHighDateTime=0x1d5eb2e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x3eb740 [0036.311] FindClose (in: hFindFile=0x3eb740 | out: hFindFile=0x3eb740) returned 1 [0036.312] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0036.312] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0036.312] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0036.312] GetProcessHeap () returned 0x3d0000 [0036.312] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eac30 | out: hHeap=0x3d0000) returned 1 [0036.312] GetEnvironmentStringsW () returned 0x3eb740* [0036.312] GetProcessHeap () returned 0x3d0000 [0036.312] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xae8) returned 0x3ec230 [0036.312] FreeEnvironmentStringsW (penv=0x3eb740) returned 1 [0036.312] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a05c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0036.312] GetProcessHeap () returned 0x3d0000 [0036.312] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eb6d0 | out: hHeap=0x3d0000) returned 1 [0036.312] GetProcessHeap () returned 0x3d0000 [0036.312] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4016) returned 0x3ecd20 [0036.312] GetProcessHeap () returned 0x3d0000 [0036.312] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3ecd20 | out: hHeap=0x3d0000) returned 1 [0036.312] GetConsoleOutputCP () returned 0x1b5 [0036.313] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a05bfe0 | out: lpCPInfo=0x4a05bfe0) returned 1 [0036.313] GetUserDefaultLCID () returned 0x409 [0036.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a057b50, cchData=8 | out: lpLCData=":") returned 2 [0036.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="0") returned 2 [0036.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="0") returned 2 [0036.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="1") returned 2 [0036.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a06a740, cchData=8 | out: lpLCData="/") returned 2 [0036.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a06a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0036.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a06a460, cchData=32 | out: lpLCData="Tue") returned 4 [0036.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a06a420, cchData=32 | out: lpLCData="Wed") returned 4 [0036.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a06a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0036.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a06a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0036.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a06a360, cchData=32 | out: lpLCData="Sat") returned 4 [0036.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a06a700, cchData=32 | out: lpLCData="Sun") returned 4 [0036.314] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a057b40, cchData=8 | out: lpLCData=".") returned 2 [0036.314] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a06a4e0, cchData=8 | out: lpLCData=",") returned 2 [0036.314] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.315] GetProcessHeap () returned 0x3d0000 [0036.315] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x20c) returned 0x3e95c0 [0036.315] GetConsoleTitleW (in: lpConsoleTitle=0x3e95c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.315] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.315] GetFileType (hFile=0xf4) returned 0x3 [0036.315] BrandingFormatString () returned 0x3e97e0 [0036.320] GetVersion () returned 0x1db10106 [0036.320] _vsnwprintf (in: _Buffer=0x2efb30, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x2efac8 | out: _Buffer="6.1.7601") returned 8 [0036.320] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.320] GetFileType (hFile=0xf4) returned 0x3 [0036.320] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a066340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0036.320] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a066340, nSize=0x2000, Arguments=0x2efad0 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0036.320] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.320] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0036.320] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x2efa58, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2efa58*=0x24, lpOverlapped=0x0) returned 1 [0036.320] _vsnwprintf (in: _Buffer=0x4a066340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2efaf8 | out: _Buffer="\r\n") returned 2 [0036.320] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.320] GetFileType (hFile=0xf4) returned 0x3 [0036.320] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.321] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0036.321] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2efac8, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2efac8*=0x2, lpOverlapped=0x0) returned 1 [0036.321] _vsnwprintf (in: _Buffer=0x4a066340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x2efaf8 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0036.321] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.321] GetFileType (hFile=0xf4) returned 0x3 [0036.321] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.321] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0036.321] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x2efac8, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2efac8*=0x3f, lpOverlapped=0x0) returned 1 [0036.321] _vsnwprintf (in: _Buffer=0x4a066340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2efaf8 | out: _Buffer="\r\n") returned 2 [0036.321] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.321] GetFileType (hFile=0xf4) returned 0x3 [0036.321] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.321] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0036.321] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2efac8, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2efac8*=0x2, lpOverlapped=0x0) returned 1 [0036.321] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0036.321] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0036.321] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0036.321] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0036.322] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.322] GetFileType (hFile=0xe8) returned 0x3 [0036.322] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0036.322] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x2ef920 | out: TokenHandle=0x2ef920*=0x0) returned 0xc000007c [0036.322] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x2ef920 | out: TokenHandle=0x2ef920*=0x50) returned 0x0 [0036.322] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x2ef930, TokenInformationLength=0x4, ReturnLength=0x2ef938 | out: TokenInformation=0x2ef930, ReturnLength=0x2ef938) returned 0x0 [0036.322] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x2ef938, TokenInformationLength=0x4, ReturnLength=0x2ef930 | out: TokenInformation=0x2ef938, ReturnLength=0x2ef930) returned 0x0 [0036.322] NtClose (Handle=0x50) returned 0x0 [0036.322] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x2ef900, nSize=0x0, Arguments=0x2ef908 | out: lpBuffer="韠>") returned 0xf [0036.322] GetProcessHeap () returned 0x3d0000 [0036.322] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x218) returned 0x3d1ab0 [0036.322] GetConsoleTitleW (in: lpConsoleTitle=0x2ef950, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.322] wcsstr (_Str="C:\\Windows\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0036.322] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0036.323] GetProcessHeap () returned 0x3d0000 [0036.323] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3d1ab0 | out: hHeap=0x3d0000) returned 1 [0036.323] LocalFree (hMem=0x3e97e0) returned 0x0 [0036.323] GetProcessHeap () returned 0x3d0000 [0036.323] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eaa10 | out: hHeap=0x3d0000) returned 1 [0036.324] _vsnwprintf (in: _Buffer=0x4a066340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2ef638 | out: _Buffer="\r\n") returned 2 [0036.324] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.324] GetFileType (hFile=0xf4) returned 0x3 [0036.324] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.324] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0036.324] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ef608, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2ef608*=0x2, lpOverlapped=0x0) returned 1 [0036.324] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.324] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a05c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0036.324] _vsnwprintf (in: _Buffer=0x4a04eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x2ef648 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0036.324] _vsnwprintf (in: _Buffer=0x4a04ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x2ef648 | out: _Buffer=">") returned 1 [0036.324] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.324] GetFileType (hFile=0xf4) returned 0x3 [0036.324] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.324] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0036.324] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x2ef638, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2ef638*=0x26, lpOverlapped=0x0) returned 1 [0036.324] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.324] GetFileType (hFile=0xe8) returned 0x3 [0036.324] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.324] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.325] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.325] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0036.325] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.325] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.325] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.325] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0036.325] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.325] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0036.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0036.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0036.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0036.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0036.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0036.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0036.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0036.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0036.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0036.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0036.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0036.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0036.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0036.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.328] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.328] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.328] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0036.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.328] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.328] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.328] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0036.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.328] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.328] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.328] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0036.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.328] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.328] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.328] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0036.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.328] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.328] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.328] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0036.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.328] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.328] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.328] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0036.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.328] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.329] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.329] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0036.329] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.329] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.329] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0036.329] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0036.329] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.329] GetFileType (hFile=0xe8) returned 0x3 [0036.329] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.329] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.329] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.329] GetFileType (hFile=0xf4) returned 0x3 [0036.329] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.329] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0036.329] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x2ef918, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2ef918*=0x18, lpOverlapped=0x0) returned 1 [0036.329] GetProcessHeap () returned 0x3d0000 [0036.330] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4012) returned 0x3ecd20 [0036.330] GetProcessHeap () returned 0x3d0000 [0036.330] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3ecd20 | out: hHeap=0x3d0000) returned 1 [0036.330] _wcsicmp (_String1="mode", _String2=")") returned 68 [0036.330] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0036.330] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0036.330] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0036.330] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0036.330] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0036.330] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0036.330] GetProcessHeap () returned 0x3d0000 [0036.330] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb0) returned 0x3e97e0 [0036.330] GetProcessHeap () returned 0x3d0000 [0036.330] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x1a) returned 0x3e4610 [0036.331] GetProcessHeap () returned 0x3d0000 [0036.331] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x38) returned 0x3e6510 [0036.331] GetConsoleOutputCP () returned 0x1b5 [0036.331] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a05bfe0 | out: lpCPInfo=0x4a05bfe0) returned 1 [0036.331] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0036.332] GetConsoleTitleW (in: lpConsoleTitle=0x2ef8d0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0036.332] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0036.332] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0036.332] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0036.332] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0036.332] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0036.332] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0036.332] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0036.332] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0036.332] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0036.332] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0036.332] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0036.332] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0036.332] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0036.332] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0036.332] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0036.332] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0036.332] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0036.332] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0036.332] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0036.332] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0036.332] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0036.332] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0036.332] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0036.333] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0036.333] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0036.333] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0036.333] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0036.333] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0036.333] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0036.333] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0036.333] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0036.333] _wcsicmp (_String1="mode", _String2="START") returned -6 [0036.333] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0036.333] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0036.333] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0036.333] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0036.333] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0036.333] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0036.333] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0036.333] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0036.333] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0036.333] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0036.333] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0036.333] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0036.333] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0036.333] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0036.333] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0036.333] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0036.333] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0036.333] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0036.333] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0036.333] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0036.333] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0036.333] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0036.333] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0036.333] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0036.333] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0036.333] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0036.333] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0036.333] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0036.333] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0036.333] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0036.334] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0036.334] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0036.334] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0036.334] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0036.334] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0036.334] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0036.334] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0036.334] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0036.334] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0036.334] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0036.334] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0036.334] _wcsicmp (_String1="mode", _String2="START") returned -6 [0036.334] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0036.334] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0036.334] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0036.334] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0036.334] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0036.334] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0036.334] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0036.334] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0036.334] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0036.334] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0036.334] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0036.334] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0036.334] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0036.335] GetProcessHeap () returned 0x3d0000 [0036.335] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x218) returned 0x3d1ab0 [0036.335] GetProcessHeap () returned 0x3d0000 [0036.335] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x42) returned 0x3e98a0 [0036.335] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0036.335] GetProcessHeap () returned 0x3d0000 [0036.335] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x420) returned 0x3e9a80 [0036.335] SetErrorMode (uMode=0x0) returned 0x0 [0036.335] SetErrorMode (uMode=0x1) returned 0x0 [0036.335] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3e9a90, lpFilePart=0x2ef160 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef160*="Desktop") returned 0x25 [0036.335] SetErrorMode (uMode=0x0) returned 0x1 [0036.335] GetProcessHeap () returned 0x3d0000 [0036.335] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e9a80, Size=0x66) returned 0x3e9a80 [0036.335] GetProcessHeap () returned 0x3d0000 [0036.335] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e9a80) returned 0x66 [0036.335] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.335] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.336] GetProcessHeap () returned 0x3d0000 [0036.336] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x128) returned 0x3d1cd0 [0036.336] GetProcessHeap () returned 0x3d0000 [0036.336] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x240) returned 0x3e9b00 [0036.342] GetProcessHeap () returned 0x3d0000 [0036.342] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e9b00, Size=0x12a) returned 0x3e9b00 [0036.342] GetProcessHeap () returned 0x3d0000 [0036.342] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e9b00) returned 0x12a [0036.342] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.342] GetProcessHeap () returned 0x3d0000 [0036.342] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xe8) returned 0x3e5b70 [0036.342] GetProcessHeap () returned 0x3d0000 [0036.342] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e5b70, Size=0x7e) returned 0x3e5b70 [0036.342] GetProcessHeap () returned 0x3d0000 [0036.342] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e5b70) returned 0x7e [0036.344] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.344] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0xffffffffffffffff [0036.345] GetLastError () returned 0x2 [0036.345] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0xffffffffffffffff [0036.345] GetLastError () returned 0x2 [0036.345] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.345] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0x3e5c00 [0036.345] GetProcessHeap () returned 0x3d0000 [0036.345] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x28) returned 0x3e4640 [0036.345] FindClose (in: hFindFile=0x3e5c00 | out: hFindFile=0x3e5c00) returned 1 [0036.345] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0x3e5c00 [0036.345] GetProcessHeap () returned 0x3d0000 [0036.345] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e4640, Size=0x8) returned 0x3e98f0 [0036.345] FindClose (in: hFindFile=0x3e5c00 | out: hFindFile=0x3e5c00) returned 1 [0036.345] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0036.345] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0036.345] GetConsoleTitleW (in: lpConsoleTitle=0x2ef420, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0036.346] GetProcessHeap () returned 0x3d0000 [0036.346] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x21c) returned 0x3e9c40 [0036.346] GetConsoleTitleW (in: lpConsoleTitle=0x3e9c50, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0036.346] GetProcessHeap () returned 0x3d0000 [0036.346] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e9c40, Size=0xa8) returned 0x3e9c40 [0036.346] GetProcessHeap () returned 0x3d0000 [0036.346] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e9c40) returned 0xa8 [0036.346] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0036.346] GetProcessHeap () returned 0x3d0000 [0036.346] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e9c40 | out: hHeap=0x3d0000) returned 1 [0036.346] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef1d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef198 | out: lpAttributeList=0x2ef1d8, lpSize=0x2ef198) returned 1 [0036.347] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef1d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef188, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef1d8, lpPreviousValue=0x0) returned 1 [0036.347] GetStartupInfoW (in: lpStartupInfo=0x2ef2f0 | out: lpStartupInfo=0x2ef2f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0036.347] GetProcessHeap () returned 0x3d0000 [0036.347] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x20) returned 0x3e4640 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.347] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.348] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.348] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.348] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.348] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.348] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.348] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.348] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.348] GetProcessHeap () returned 0x3d0000 [0036.348] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e4640 | out: hHeap=0x3d0000) returned 1 [0036.348] GetProcessHeap () returned 0x3d0000 [0036.348] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x12) returned 0x3e8900 [0036.348] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2ef210*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef1c0 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x2ef1c0*(hProcess=0x54, hThread=0x50, dwProcessId=0xb10, dwThreadId=0xb0c)) returned 1 [0036.489] CloseHandle (hObject=0x50) returned 1 [0036.489] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.489] GetProcessHeap () returned 0x3d0000 [0036.489] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3ec230 | out: hHeap=0x3d0000) returned 1 [0036.489] GetEnvironmentStringsW () returned 0x3eaa10* [0036.489] GetProcessHeap () returned 0x3d0000 [0036.489] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xae8) returned 0x3eb500 [0036.489] FreeEnvironmentStringsW (penv=0x3eaa10) returned 1 [0036.489] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x77a60000 [0036.489] GetProcAddress (hModule=0x77a60000, lpProcName="NtQueryInformationProcess") returned 0x77ab14a0 [0036.489] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x2eeac8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x2eeac8, ReturnLength=0x0) returned 0x0 [0036.489] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdb000, lpBuffer=0x2eeb00, nSize=0x380, lpNumberOfBytesRead=0x2eeac0 | out: lpBuffer=0x2eeb00*, lpNumberOfBytesRead=0x2eeac0*=0x380) returned 1 [0036.490] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0038.851] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2ef108 | out: lpExitCode=0x2ef108*=0x0) returned 1 [0038.851] CloseHandle (hObject=0x54) returned 1 [0038.851] _vsnwprintf (in: _Buffer=0x2ef378, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef118 | out: _Buffer="00000000") returned 8 [0038.852] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0038.852] GetProcessHeap () returned 0x3d0000 [0038.852] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eb500 | out: hHeap=0x3d0000) returned 1 [0038.852] GetEnvironmentStringsW () returned 0x3eaa10* [0038.852] GetProcessHeap () returned 0x3d0000 [0038.852] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb0e) returned 0x3eeb10 [0038.852] FreeEnvironmentStringsW (penv=0x3eaa10) returned 1 [0038.852] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0038.852] GetProcessHeap () returned 0x3d0000 [0038.852] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eeb10 | out: hHeap=0x3d0000) returned 1 [0038.852] GetEnvironmentStringsW () returned 0x3eaa10* [0038.852] GetProcessHeap () returned 0x3d0000 [0038.852] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb0e) returned 0x3eeb10 [0038.852] FreeEnvironmentStringsW (penv=0x3eaa10) returned 1 [0038.852] GetProcessHeap () returned 0x3d0000 [0038.852] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e8900 | out: hHeap=0x3d0000) returned 1 [0038.852] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef1d8 | out: lpAttributeList=0x2ef1d8) [0039.011] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0039.012] _get_osfhandle (_FileHandle=1) returned 0xf4 [0039.012] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0039.012] _get_osfhandle (_FileHandle=1) returned 0xf4 [0039.012] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a04e194 | out: lpMode=0x4a04e194) returned 0 [0039.012] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.012] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a04e198 | out: lpMode=0x4a04e198) returned 0 [0039.012] GetConsoleOutputCP () returned 0x4e3 [0039.012] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a05bfe0 | out: lpCPInfo=0x4a05bfe0) returned 1 [0039.013] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e5b70 | out: hHeap=0x3d0000) returned 1 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e9b00 | out: hHeap=0x3d0000) returned 1 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3d1cd0 | out: hHeap=0x3d0000) returned 1 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e9a80 | out: hHeap=0x3d0000) returned 1 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e98a0 | out: hHeap=0x3d0000) returned 1 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3d1ab0 | out: hHeap=0x3d0000) returned 1 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6510 | out: hHeap=0x3d0000) returned 1 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e4610 | out: hHeap=0x3d0000) returned 1 [0039.013] GetProcessHeap () returned 0x3d0000 [0039.013] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e97e0 | out: hHeap=0x3d0000) returned 1 [0039.013] _vsnwprintf (in: _Buffer=0x4a066340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x2ef638 | out: _Buffer="\r\n") returned 2 [0039.013] _get_osfhandle (_FileHandle=1) returned 0xf4 [0039.013] GetFileType (hFile=0xf4) returned 0x3 [0039.013] _get_osfhandle (_FileHandle=1) returned 0xf4 [0039.014] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0039.014] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ef608, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2ef608*=0x2, lpOverlapped=0x0) returned 1 [0039.014] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0039.014] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a05c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0039.014] _vsnwprintf (in: _Buffer=0x4a04eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x2ef648 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0039.014] _vsnwprintf (in: _Buffer=0x4a04ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x2ef648 | out: _Buffer=">") returned 1 [0039.014] _get_osfhandle (_FileHandle=1) returned 0xf4 [0039.014] GetFileType (hFile=0xf4) returned 0x3 [0039.014] _get_osfhandle (_FileHandle=1) returned 0xf4 [0039.014] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0039.014] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x2ef638, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2ef638*=0x26, lpOverlapped=0x0) returned 1 [0039.014] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.014] GetFileType (hFile=0xe8) returned 0x3 [0039.014] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.014] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.014] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.014] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0039.014] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.014] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.014] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.014] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0039.015] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.015] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.015] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.015] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0039.015] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.015] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.015] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.015] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0039.015] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.015] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.015] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.015] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0039.015] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.015] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.015] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.015] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0039.015] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.015] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.015] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.015] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0039.015] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.015] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.015] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.015] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0039.015] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.015] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.016] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.016] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0039.016] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.016] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.016] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.016] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0039.016] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.016] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.016] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.016] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0039.016] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.016] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.016] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.016] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0039.016] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.016] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.016] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.016] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0039.016] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.016] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.016] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.016] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0039.016] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.016] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.016] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.017] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0039.017] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.017] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.017] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.017] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0039.017] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.017] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.017] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.017] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0039.017] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.017] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.017] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.017] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0039.017] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.017] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.017] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.017] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0039.017] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.017] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.017] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.017] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0039.017] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.017] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.017] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.017] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0039.018] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.018] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.018] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.018] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0039.018] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.018] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.018] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.018] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0039.018] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.018] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.018] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.018] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0039.018] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.018] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.018] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.018] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0039.018] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.018] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.018] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.018] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0039.018] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.018] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.018] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.018] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0039.018] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.018] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.019] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.019] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0039.019] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.019] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.019] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.019] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0039.019] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.019] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.019] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.019] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0039.019] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.019] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.019] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.019] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0039.019] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.019] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.019] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.019] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0039.019] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.019] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.019] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.019] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0039.019] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.019] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.020] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.020] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0039.020] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.020] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.020] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.020] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0039.020] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.020] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.020] ReadFile (in: hFile=0xe8, lpBuffer=0x4a05c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x2ef938, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesRead=0x2ef938*=0x1, lpOverlapped=0x0) returned 1 [0039.020] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a05c320, cbMultiByte=1, lpWideCharStr=0x4a05e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0039.020] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.020] GetFileType (hFile=0xe8) returned 0x3 [0039.020] _get_osfhandle (_FileHandle=0) returned 0xe8 [0039.020] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.020] _get_osfhandle (_FileHandle=1) returned 0xf4 [0039.020] GetFileType (hFile=0xf4) returned 0x3 [0039.020] _get_osfhandle (_FileHandle=1) returned 0xf4 [0039.020] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a05c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0039.020] WriteFile (in: hFile=0xf4, lpBuffer=0x4a05c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x2ef918, lpOverlapped=0x0 | out: lpBuffer=0x4a05c320*, lpNumberOfBytesWritten=0x2ef918*=0x24, lpOverlapped=0x0) returned 1 [0039.020] GetProcessHeap () returned 0x3d0000 [0039.020] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4012) returned 0x3ef630 [0039.021] GetProcessHeap () returned 0x3d0000 [0039.021] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3ef630 | out: hHeap=0x3d0000) returned 1 [0039.021] GetProcessHeap () returned 0x3d0000 [0039.021] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb0) returned 0x3e97e0 [0039.021] GetProcessHeap () returned 0x3d0000 [0039.021] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x22) returned 0x3e4610 [0039.021] GetProcessHeap () returned 0x3d0000 [0039.022] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x48) returned 0x3eaa90 [0039.022] GetConsoleOutputCP () returned 0x4e3 [0039.022] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a05bfe0 | out: lpCPInfo=0x4a05bfe0) returned 1 [0039.022] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0039.022] GetConsoleTitleW (in: lpConsoleTitle=0x2ef8d0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0039.022] GetProcessHeap () returned 0x3d0000 [0039.023] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x218) returned 0x3e9910 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x5a) returned 0x3e9b30 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x420) returned 0x3e9090 [0039.023] SetErrorMode (uMode=0x0) returned 0x0 [0039.023] SetErrorMode (uMode=0x1) returned 0x0 [0039.023] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3e90a0, lpFilePart=0x2ef160 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef160*="Desktop") returned 0x25 [0039.023] SetErrorMode (uMode=0x0) returned 0x1 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e9090, Size=0x6e) returned 0x3e9090 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e9090) returned 0x6e [0039.023] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0039.023] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x128) returned 0x3e5b70 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x240) returned 0x3d1ab0 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3d1ab0, Size=0x12a) returned 0x3d1ab0 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3d1ab0) returned 0x12a [0039.023] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xe8) returned 0x3e9db0 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e9db0, Size=0x7e) returned 0x3e9db0 [0039.023] GetProcessHeap () returned 0x3d0000 [0039.023] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e9db0) returned 0x7e [0039.024] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.024] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0xffffffffffffffff [0039.024] GetLastError () returned 0x2 [0039.024] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0xffffffffffffffff [0039.024] GetLastError () returned 0x2 [0039.024] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.024] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0x3e9ba0 [0039.024] FindClose (in: hFindFile=0x3e9ba0 | out: hFindFile=0x3e9ba0) returned 1 [0039.024] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0xffffffffffffffff [0039.024] GetLastError () returned 0x2 [0039.025] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0x3e9ba0 [0039.025] FindClose (in: hFindFile=0x3e9ba0 | out: hFindFile=0x3e9ba0) returned 1 [0039.025] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0039.025] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0039.025] GetConsoleTitleW (in: lpConsoleTitle=0x2ef420, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0039.025] GetProcessHeap () returned 0x3d0000 [0039.025] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x21c) returned 0x3e9110 [0039.025] GetConsoleTitleW (in: lpConsoleTitle=0x3e9120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0039.025] GetProcessHeap () returned 0x3d0000 [0039.025] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e9110, Size=0xc0) returned 0x3e9110 [0039.025] GetProcessHeap () returned 0x3d0000 [0039.025] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e9110) returned 0xc0 [0039.025] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0039.026] GetProcessHeap () returned 0x3d0000 [0039.026] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e9110 | out: hHeap=0x3d0000) returned 1 [0039.026] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef1d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef198 | out: lpAttributeList=0x2ef1d8, lpSize=0x2ef198) returned 1 [0039.026] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef1d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef188, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef1d8, lpPreviousValue=0x0) returned 1 [0039.026] GetStartupInfoW (in: lpStartupInfo=0x2ef2f0 | out: lpStartupInfo=0x2ef2f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0039.026] GetProcessHeap () returned 0x3d0000 [0039.026] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x20) returned 0x3e4640 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0039.026] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0039.027] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0039.027] GetProcessHeap () returned 0x3d0000 [0039.027] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e4640 | out: hHeap=0x3d0000) returned 1 [0039.027] GetProcessHeap () returned 0x3d0000 [0039.027] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x12) returned 0x3e8900 [0039.027] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2ef210*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef1c0 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x2ef1c0*(hProcess=0x50, hThread=0x54, dwProcessId=0xb2c, dwThreadId=0xb28)) returned 1 [0039.035] CloseHandle (hObject=0x54) returned 1 [0039.035] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.035] GetProcessHeap () returned 0x3d0000 [0039.035] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eeb10 | out: hHeap=0x3d0000) returned 1 [0039.035] GetEnvironmentStringsW () returned 0x3eeb10* [0039.035] GetProcessHeap () returned 0x3d0000 [0039.035] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb0e) returned 0x3ef630 [0039.035] FreeEnvironmentStringsW (penv=0x3eeb10) returned 1 [0039.035] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x2eeac8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x2eeac8, ReturnLength=0x0) returned 0x0 [0039.035] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffda000, lpBuffer=0x2eeb00, nSize=0x380, lpNumberOfBytesRead=0x2eeac0 | out: lpBuffer=0x2eeb00*, lpNumberOfBytesRead=0x2eeac0*=0x380) returned 1 [0039.036] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x4b980000" os_pid = "0xb10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa8c" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 14 os_tid = 0xb0c Process: id = "4" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x48191000" os_pid = "0xb2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa8c" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 21 os_tid = 0xb28 Thread: id = 23 os_tid = 0x15c Thread: id = 24 os_tid = 0x7bc Thread: id = 25 os_tid = 0x804 Thread: id = 26 os_tid = 0x814 Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x42a18000" os_pid = "0x824" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00058dd5" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 27 os_tid = 0x894 Thread: id = 28 os_tid = 0x884 Thread: id = 29 os_tid = 0x874 Thread: id = 30 os_tid = 0x864 [0050.292] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcedcc0 | out: lpSystemTimeAsFileTime=0xcedcc0*(dwLowDateTime=0x95116da0, dwHighDateTime=0x1d5eb2e)) [0050.292] GetCurrentProcessId () returned 0x824 [0050.292] GetCurrentThreadId () returned 0x864 [0050.292] GetTickCount () returned 0x114643f [0050.292] QueryPerformanceCounter (in: lpPerformanceCount=0xcedcc8 | out: lpPerformanceCount=0xcedcc8*=17104802982) returned 1 [0050.292] malloc (_Size=0x100) returned 0x638e80 Thread: id = 31 os_tid = 0x854 Thread: id = 32 os_tid = 0x844 Thread: id = 33 os_tid = 0x834 Thread: id = 48 os_tid = 0x8c4 Thread: id = 55 os_tid = 0x700 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 34 os_tid = 0x484 Thread: id = 35 os_tid = 0xa3c Thread: id = 36 os_tid = 0x768 Thread: id = 37 os_tid = 0x764 Thread: id = 38 os_tid = 0x758 Thread: id = 39 os_tid = 0x724 Thread: id = 40 os_tid = 0x718 Thread: id = 41 os_tid = 0x714 Thread: id = 42 os_tid = 0x630 Thread: id = 43 os_tid = 0x154 Thread: id = 44 os_tid = 0x150 Thread: id = 45 os_tid = 0x120 Thread: id = 46 os_tid = 0x118 Thread: id = 47 os_tid = 0xf0 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4011d000" os_pid = "0x8a4" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00059705" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 49 os_tid = 0x914 Thread: id = 50 os_tid = 0x904 Thread: id = 51 os_tid = 0x8f4 Thread: id = 52 os_tid = 0x8e4 Thread: id = 53 os_tid = 0x8d4 Thread: id = 54 os_tid = 0x8b4